Re: [Security400] Job Description Authorities

[Ed Fishel <edfishel@xxxxxxxxxx>]

David Morris asked:

> I saw that however I interpreted it to mean the user inclusive of
> authorities gained via the group on both sides of the submit. Where did
> you find the reference that says the group profiles are not used when
> checking the profile this will run under? Do you have any insight on why
> this is the case?

Actually there may not be a reference that describes when group profiles
are not used. One paragraph that comes close is from the Check User
Authority to Object (QSYCUSRA) API. It says: If the user profile is
*CURRENT or the name of the profile that is running currently, the
authority to the user includes any authority specified on the object
(private, group, authorization list, or public) plus any program adopted
authority. If the user profile is not *CURRENT or the name of the profile
that is running currently, the authority available to the user is the
authority specified on the object.

In my opinion one reason that the group profiles of the submitted user are
not used in this type of authority check is that there is no fast and easy
way to test the authorty of the groups. Normally it is LIC code that does
authority checks that involve group profiles when checking the authority of
a thread/process. I do not believe that authority from group profiles enter
into any other authority checks. (Just checking that user X is authorized
to an object will not include the group profiles of user X unless the check
is done for the thread/process where user X is running.) To do that check
anywhere above LIC in the operating system would require the checker to
re-implement that same algorithm, or it would require us to swap the
current user profile to the specific user do the authority check and then
swap back, or it would require some type of changes to LIC.

Ed Fishel,
edfishel@xxxxxxxxxx