John: Your opinion is valid. There are many shops that haven't crafted a complete plan to access the resources on their servers. LMTCPB is designed only to stop commands from a classic command line interface. We are in agreement that it is useless for anything else. As you have pointed out it is possible to execute remote commands on the local server (including executing commands against 127.0.0.1) to get around the limitations imposed by LMTCPB. I have three basic problems with LMTCPB and commands. 1) It's obsolete in that it hasn't been updated to check commands in newer interfaces. [limited scope] 2) It's checked after the user has already been determined to have object authority to the command. 3) It's difficult to find the LMTCPB "violations". They aren't placed in the system audit journal. [more obsolescence] When used in the environment for which it was designed, LMTCPB can be a tool of last resort to stop some undesired activity. You need to look hard to find out that LMTCPB is doing anything of value on your system. The information is in the joblog. But it also can interfere with desired activity, requiring a bunch of work-arounds. Anyway, let's talk about the Inventory Master. By giving a user *CHANGE rights to the master file, you give them rights to the file in all interfaces. The user can get at the file through EDTF/DFU or Excel, as well as the expected application interfaces. I would use adopted authority for access through the expected application interfaces and use proxy commands to limit the use of EDTF or DFU to well-defined views of the data, then take away the data rights to the file. The object authority is still checked on the remote server interfaces. If you need access to the file from one or more remote servers, you can use exit programs to give you this authority. Database administration is bunch of landmines. How you implement your security plan can have a significant impact on performance. I prefer to start out with a simple plan (then resist all efforts to make it more complex). Phil Ashe NetIQ (A division of Attachmate) 1233 West Loop South, Suite 1800 | Houston, TX 77027 USA 713.418.5279 phone phil.ashe@xxxxxxxxxxxxxx www.netiq.com Phil, Would you care for a little open and spirited debate? <snip> sure!
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.