Rob: You should see both users. The signed on user will be listed under the job user "User Name". The swapped-to user will be "User Profile". Phil Ashe NetIQ (A division of Attachmate) 1233 West Loop South, Suite 1800 | Houston, TX 77027 USA 713.418.5279 phone phil.ashe@xxxxxxxxxxxxxx www.netiq.com -----Original Message----- From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx Sent: Thursday, September 07, 2006 12:55 PM To: Security Administration on the AS400 / iSeries Subject: [Security400] Application only access,was Commands for Limited Users And it's not future science we're talking about here. I've already been burned by IFS limitations with this stuff. Profile switching is the cure. The question I have about profile switching is what it does to journalling? Does the journal record the switched to profile, the switched from profile, or both? Adopting authority records the actual user. Then again, any data queue driven update would probably record the wrong user profile into the journal also. Rob Berendt -- Group Dekko Services, LLC Dept 01.073 PO Box 2000 Dock 108 6928N 400E Kendallville, IN 46755 http://www.dekko.com "John Earl" <john.earl@xxxxxxxxxxxxx> Sent by: security400-bounces+rob=dekko.com@xxxxxxxxxxxx 09/07/2006 01:47 PM Please respond to Security Administration on the AS400 / iSeries <security400@xxxxxxxxxxxx> To "Security Administration on the AS400 / iSeries" <security400@xxxxxxxxxxxx> cc Subject Re: [Security400] Commands for Limited Users Edwin,
Correct me if I am wrong, but the proper way to secure this object would be to have *public with *exclude, "/Serviceprofile/" with *all (or as needed) and then do a CHGPGM /pgmname/ USRPRF(*owner) to adopt the service profiles authority. Then do a CHGOBJOWN OBJ(/pgmname/) OBJTYPE(*PGM) NEWOWN(/Serviceprofile/) which will make the owner of the program the service profile.
If you accuse me of being a stickler for detail on this point, I'll accept the charge, but I would characterize the authorization scheme you have outlined here is an "adopted authority" scheme rather than an "object authority" scheme. To me an object authority scheme is one where all users of a file are granted authority to that file either directly, through one of their group profiles, or via an authorization list, and an adopted authority scheme is one where no users are allowed direct access to the data unless they go through an approved interface, and that interface is able to provide the requisite authority to get the job done. I like, and use, adopted authority schemes. But I don't think they are the same thing as object authority (maybe that is just my own semantic bugaboo). I'm also aware of the limitation that threatens their obsolescence (the fact that adopted authority is not supported in file systems other than QSYS.LIB). Most of the newer web based applications are use objects in file systems other than QSYS.LIB, so a traditional adopted authority scheme will not be effective. And this is the point that leaves me confused about the whole "object level security" promotion. Most of the folks that I have heard promote OLS as "the correct way" to do secure a System i, don't really mean OLS, they mean "adopted authority". But adopted authority has a serious shortcoming that limits it's usefulness in the file systems that the majority of new applications would use. jte -- John Earl | Chief Technology Officer The PowerTech Group 19426 68th Ave. S Seattle, WA 98032 (253) 872-7788 ext. 302 john.earl@xxxxxxxxxxxxx www.powertech.com Celebrating our 10th Anniversary Year! _______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/security400 or email: Security400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/security400.
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.