Hi Charles

Interesting question.

I think I'd go with option 1, not least because as I understand it, the security checking process is most efficient when the lowest level of authority is *PUBLIC. I'd hazard a guess that if everything is et to *PUBLIC *EXCLUDE this will make little or no difference as the authority checking will be forced to look for specific or group profiles every time anyway :) The other reason is that then I would feel safer knowing that nobody is authorised to anything unless they are explicitly authorised. I think I would find this easier to prove from an audit point of view also.

I'm not sure about the IBM libraries. I think I'd have to test this for myself but my first though is the same as yours: changing these could be dangerous.

Making sure new objects get the right authority should be handled by your change control procedure, at least that's where I like to set this stuff programmatically by granting the object authority from a model object, but you also have the option of the authority parameter (the name escapes me) on the library object where if I remember rightly you can specify the *PUBLIC authority granted to objects created in the library.

I'm sure this is going to be more of an issue for more of us as time marches forward :)

Evan Harris

At 06:01 a.m. 23/04/2005, you wrote:

Is there any way to prevent a user profile from using *PUBLIC authority?

Here's the scenario, I've got a user profile set up for JDBC use from a external web server. All I want this profile do be able to do is call stored procedures it is specifically authorized to.

Basically, I'm concerned about *PUBLIC being expand from just "regular" users, ie. company employees, to the entire world; or at least those non employees who have logons for the web server or more worrisome, hackers that manage to breach the web server (Windows based, not by my choice ;-)

I've thought of two ways to handle this.
1) a. Create a group profile for all my "regular" users.
b. Grant the group profile the same authority that *PUBLIC currently has for each & every object
c. change *PUBLIC to *EXCLUDE for every object

2) a. Grant *EXCLUDE authority to every object for this user profile (or better yet a new group profile of which this profile will be a member)

Don't forget that when I say "every object" I'm talking about IFS files and directories too.

Couple of problems:
1) Making sure new objects on the system get the correct authorities.
2) I'd imagine that there are IBM objects I shouldn't set *EXCLUDE

What I'd really like is to be able to do a CHGUSRPRF USEPUBLIC(*NO). But that parm doesn't exist <grin>

So how do you handle this?


Charles Wilt

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.