> -----Original Message----- > From: security400-bounces@xxxxxxxxxxxx > [mailto:security400-bounces@xxxxxxxxxxxx]On Behalf Of Patrick Botz > Sent: Monday, April 25, 2005 7:41 PM > To: Security Administration on the AS400 / iSeries > Subject: Re: [Security400] RE: Prevent User Profile from using public > authority > > > In my opinion, exit point products, while providing a very > large amount of > value add, are NOT a replacement for an exclusionary access > control model. > > An exclusionary model defaults PUBLIC authority to *EXCLUDE > -- i.e. access > is excluded to PUBLIC by default unless and until explicitly > configured > otherwise. PUBLIC authority of *USE or greater is still > appropriate for > some data in this model, but it is not assumed to be the > desired access. > > An open access control model assumes everyone should be > allowed *READ or > higher access to everything unless explicitly configured otherwise. > Because of the heritage of i5OS many, if not most, customers > have an open > access control model. > Patrick, I'm pretty much in agreement with you. Looking back at my original post and the two options I outlined: 1) a. Create a group profile for all my "regular" users. b. Grant the group profile the same authority that *PUBLIC currently has for each & every object c. change *PUBLIC to *EXCLUDE for every object 2) a. Grant *EXCLUDE authority to every object for this user profile (or better yet a new group profile of which this profile will be a member) Would you agree that #1 is exclusionary and #2 is open? So you recommend #1? If so, how do I go about getting it implemented? Is the "Tips & Tricks" book still the best resource? What about IBM objects? Will option #61 "Revoke public authority to objects" on the SECTOOLS menu take care of everything or will I need to worry about other IBM objects? Thanks, Charles Wilt iSeries Systems Administrator / Developer Mitsubishi Electric Automotive America ph: 513-573-4343 fax: 513-398-1121
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.