Edwin,

Just to clarify, 

Considering that MARY is a programmer, MARY can probably
do SBMJOB and
specify USER(BOB)
which could run a program that would make the same change
and have the
same result.  Journals show
BOB made the change, but it was actually MARY.

Mary can only do the above if she has (at least) *USE authority to Bob's
profile.

This typically happens because Mary has *ALLOBJ, or Mary belongs to the
group that owns Bob's profile, or someone specifically gave Mary access
to Bob's profile.  But it is not natural.  The default on profile
creation is *PUBLIC = *EXCLUDE.

Another potential way to achieve the same end (but it only works at
QSECURITY level <40) is for Mary to submit a job using a job description
that has Bob's User name in the  "User" parameter.  in this case Mary
only needs *USE authority to the job description, and no authority to
BOB's user profile.

jte

--
John Earl | Chief Technology Officer
The PowerTech Group
19426 68th Ave. S
Seattle, WA 98032
(253) 872-7788 ext. 302
john.earl@xxxxxxxxxxxxx
www.powertech.com 
Celebrating our 10th Anniversary Year!
 

 
This email message and any attachments are intended only for the use of
the intended recipients and may contain information that is privileged
and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message, or by telephone, and delete
the message from your email system.
--
-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of
Edwin Davidson
Sent: Thursday, June 29, 2006 12:47 PM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] STRSRVJOB and database journal
entries

Considering that MARY is a programmer, MARY can probably
do SBMJOB and
specify USER(BOB)
which could run a program that would make the same change
and have the
same result.  Journals show
BOB made the change, but it was actually MARY.

I also agree that this isn't a "hole".




http://www.primeinc.com
**********************************************************
************
This email and any files transmitted with it are
confidential
and intended solely for the use of the individual or
entity to
whom they are addressed.  If you have received this email
in error please reply to the sender of the message.

The views expressed in this correspondence may not
reflect the views of Prime, Inc.

This footnote also confirms that this email message has
been scanned for the presence of computer viruses.
**********************************************************
************
_______________________________________________
This is the Security Administration on the AS400 / iSeries
(Security400) mailing list
To post a message email: Security400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the
archives
at http://archive.midrange.com/security400.




As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.