Re: Commands for Limited Users

David:

<vendor spiel> We implemented capabilities to swap profiles in our
remote server exit programs. We have the ability to increase or decrease
a user's authority to an object. I think this is a common feature from
many exit program providers.

I wasn't aware that adopted authority was outdated. I think it is still
commonly used. I have seen poor implementations of adopted authority,
usually in the one-size-fits-all implementation from some package
vendors. The biggest security problem I continue to see with adopted
authority is allowing the user profile that owns objects to be
accessible by remote servers.

I haven't seen large applications built around adopted authority that
use files outside of QSYS.LIB. I can see problems in this space. 

Phil Ashe
NetIQ (A division of Attachmate)
1233 West Loop South, Suite 1800 | Houston, TX 77027 USA
713.418.5279 phone
phil.ashe@xxxxxxxxxxxxxx
www.netiq.com 

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of David Morris
Sent: Thursday, September 07, 2006 12:30 PM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Commands for Limited Users

Phil,

Adopted authority is nearly as outdated as limited capability. It
doesn't work well with triggers or IFS files and is incompletely
implemented. Adoption is ineffective in exits but based on your message
you may have overcome some of the limitations I have run up against. The
biggest reason to avoid adoption is that it is often implemented
incorrectly and is frequently the source of serious security problems. 

A few years back, I started using a technique that gives similar
function by swapping in or setting effective groups and supplemental
groups. 

--David Morris