Phil,

Adopted authority is nearly as outdated as limited capability. It
doesn't work well with triggers or IFS files and is incompletely
implemented. Adoption is ineffective in exits but based on your message
you may have overcome some of the limitations I have run up against. The
biggest reason to avoid adoption is that it is often implemented
incorrectly and is frequently the source of serious security problems. 

A few years back, I started using a technique that gives similar
function by swapping in or setting effective groups and supplemental
groups. 

--David Morris 

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Phil Ashe
Sent: Thursday, September 07, 2006 10:09 AM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Commands for Limited Users

John:

...I have three basic problems with LMTCPB and commands. 
1) It's obsolete in that it hasn't been updated to check commands in
newer interfaces. [limited scope]
2) It's checked after the user has already been determined to have
object authority to the command.
3) It's difficult to find the LMTCPB "violations". They aren't placed in
the system audit journal. [more obsolescence]

...I would use adopted authority for access through the expected
application interfaces and use proxy commands to limit the use of EDTF
or DFU to well-defined views of the data, then take away the data rights
to the file. The object authority is still checked on the remote server
interfaces. If you need access to the file from one or more remote
servers, you can use exit programs to give you this authority...

Phil Ashe


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.