× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. May 2004

RE: Documenting / Managing iSeries security

OK, I've been chewing on this one for about a week now, and I just have
to get my .02 in on it...

> I abhor supplemental groups.  Had a couple of problems
> with that:
> 
> 1)  Someone started assigning a 'owner' profile as a
> supplemental group
> profile.  This 'owner' profile had the special authority
> of *ALLOBJ.  Thus
> all the users with this supplemental group had *ALLOBJ.
> Cardinal rule #1-'Owner' profiles should not have any
> special authorities.

[jte] I agree whole heartedly that Owner profiles should not have any
special authority - but this example demonstrates a problem with Owner
profiles being _any kind_ of group profile, not a specific problem with
supplemental group profiles. (IMHO)  


> 2)  Supplemental groups significantly increase the length
> of your SAVSYS.
> Increased ours from 4 minutes to 44 minutes.
[jte] 
This is sort of surprising to me. I can see where a large number of
private authorities could significantly increase the SAVSYS time -
private authorities are stored in the User profile object, and so SAVSYS
could have a lot more work to do - but again this would be a problem
related to assigning private authorities to objects, and not
specifically a problem of Group Profiles.  If it is the case that
Supplemental Group Profiles increase SAVSYS time, than this is new news
to me.


> 3)  There is a limit to how many supplemental groups one
> user may be
> assigned to.  We were actually hitting this.

[jte] 
Yes the limit is 15.  And there is some evidence to suggest that as the
number of Supplemental Group profiles attached to a user profile grows,
the overall system performance _could_ degrade because of the increased
number of security checks that are required (ex, Does GROPU have
authority?  No, then does SupGroup1 have authority? No.... all the way
through the groups until you get to *PUBLIC.  :(  ), so this is a
"performance" reason not to over use Supplemental Group profiles.  

> Better to use authorization lists wisely.
[jte] 

This is the part that that really baffled me.  Group profiles (including
supplemental groups) and authorization lists are not an either/or
proposition - the proper use of both tools will give you better security
than total reliance on one or the other.  Group Profiles are used to
bunch users with similar job functions together.  Authorization lists
are used to bunch objects with similar usage rules together.  I don't
really get how I could use Autl's effectively without using groups (and
supplemental's).


jte

--
John Earl | Chief Technology Officer
The PowerTech Group
19426 68th Ave. S
Seattle, WA 98032
(253) 872-7788 ext. 302
john.earl@xxxxxxxxxxxxx
www.powertech.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.