Phil, Adopted authority is nearly as outdated as limited capability. It doesn't work well with triggers or IFS files and is incompletely implemented. Adoption is ineffective in exits but based on your message you may have overcome some of the limitations I have run up against. The biggest reason to avoid adoption is that it is often implemented incorrectly and is frequently the source of serious security problems. A few years back, I started using a technique that gives similar function by swapping in or setting effective groups and supplemental groups. --David Morris -----Original Message----- From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Phil Ashe Sent: Thursday, September 07, 2006 10:09 AM To: Security Administration on the AS400 / iSeries Subject: Re: [Security400] Commands for Limited Users John: ...I have three basic problems with LMTCPB and commands. 1) It's obsolete in that it hasn't been updated to check commands in newer interfaces. [limited scope] 2) It's checked after the user has already been determined to have object authority to the command. 3) It's difficult to find the LMTCPB "violations". They aren't placed in the system audit journal. [more obsolescence] ...I would use adopted authority for access through the expected application interfaces and use proxy commands to limit the use of EDTF or DFU to well-defined views of the data, then take away the data rights to the file. The object authority is still checked on the remote server interfaces. If you need access to the file from one or more remote servers, you can use exit programs to give you this authority... Phil Ashe
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.