> -----Original Message-----
> From: security400-bounces@xxxxxxxxxxxx
> [mailto:security400-bounces@xxxxxxxxxxxx]On Behalf Of Patrick Botz
> Sent: Monday, April 25, 2005 7:41 PM
> To: Security Administration on the AS400 / iSeries
> Subject: Re: [Security400] RE: Prevent User Profile from using public
> authority
> In my opinion, exit point products, while providing a very 
> large amount of
> value add, are NOT a replacement for an exclusionary access 
> control model.
> An exclusionary model defaults PUBLIC authority to *EXCLUDE 
> -- i.e. access
> is excluded to PUBLIC by default unless and until explicitly 
> configured
> otherwise. PUBLIC authority of *USE or greater is still 
> appropriate for
> some data in this model, but it is not assumed to be the 
> desired access.
> An open access control model assumes everyone should be 
> allowed *READ or
> higher access to everything unless explicitly configured otherwise.
> Because of the heritage of i5OS many, if not most, customers 
> have an open
> access control model.


I'm pretty much in agreement with you.  Looking back at my original post and 
the two options I outlined:

1) a. Create a group profile for all my "regular" users.
   b. Grant the group profile the same authority that *PUBLIC currently has for 
each & every object
   c. change *PUBLIC to *EXCLUDE for every object

2) a. Grant *EXCLUDE authority to every object for this user profile (or better 
yet a new group profile of which this profile will be a member)

Would you agree that #1 is exclusionary and #2 is open?  So you recommend #1?

If so, how do I go about getting it implemented?  Is the "Tips & Tricks" book 
still the best resource?

What about IBM objects?  Will option #61 "Revoke public authority to objects" 
on the SECTOOLS menu take care of everything or will I need to worry about 
other IBM objects?


Charles Wilt
iSeries Systems Administrator / Developer
Mitsubishi Electric Automotive America
ph: 513-573-4343
fax: 513-398-1121

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.