|
Edwin, Just to clarify,
Considering that MARY is a programmer, MARY can probably do SBMJOB and specify USER(BOB) which could run a program that would make the same change and have the same result. Journals show BOB made the change, but it was actually MARY.
Mary can only do the above if she has (at least) *USE authority to Bob's profile. This typically happens because Mary has *ALLOBJ, or Mary belongs to the group that owns Bob's profile, or someone specifically gave Mary access to Bob's profile. But it is not natural. The default on profile creation is *PUBLIC = *EXCLUDE. Another potential way to achieve the same end (but it only works at QSECURITY level <40) is for Mary to submit a job using a job description that has Bob's User name in the "User" parameter. in this case Mary only needs *USE authority to the job description, and no authority to BOB's user profile. jte -- John Earl | Chief Technology Officer The PowerTech Group 19426 68th Ave. S Seattle, WA 98032 (253) 872-7788 ext. 302 john.earl@xxxxxxxxxxxxx www.powertech.com Celebrating our 10th Anniversary Year! This email message and any attachments are intended only for the use of the intended recipients and may contain information that is privileged and confidential. If you are not the intended recipient, any dissemination, distribution, or copying is strictly prohibited. If you received this email message in error, please immediately notify the sender by replying to this email message, or by telephone, and delete the message from your email system. --
-----Original Message----- From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Edwin Davidson Sent: Thursday, June 29, 2006 12:47 PM To: Security Administration on the AS400 / iSeries Subject: Re: [Security400] STRSRVJOB and database journal entries Considering that MARY is a programmer, MARY can probably do SBMJOB and specify USER(BOB) which could run a program that would make the same change and have the same result. Journals show BOB made the change, but it was actually MARY. I also agree that this isn't a "hole". http://www.primeinc.com ********************************************************** ************ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please reply to the sender of the message. The views expressed in this correspondence may not reflect the views of Prime, Inc. This footnote also confirms that this email message has been scanned for the presence of computer viruses. ********************************************************** ************ _______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/security400 or email: Security400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/security400.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
