Rob,

I don't believe Authority lists and Group Profiles are mutually
exclusive, I think they are complimentary.  The way we have always
practiced (and preached) it is like this:

Group Profiles are used to assemble users who do a similar function into
a group.  Authority lists assemble objects that should be secured
similarly into an object group.  The combination of the two provides for
the most efficient way that I know of to secure individual objects in
OS/400.

You could choose to use just one or the other, but they are not mutually
exclusive.

jte



--
John Earl | Chief Technology Officer
The PowerTech Group
19426 68th Ave. S
Seattle, WA 98032
(253) 872-7788 ext. 302
john.earl@xxxxxxxxxxxxx
www.powertech.com 
Celebrating our 10th Anniversary Year!
 

 
This email message and any attachments are intended only for the use of
the intended recipients and may contain information that is privileged
and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message, or by telephone, and delete
the message from your email system.
--

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of
rob@xxxxxxxxx
Sent: Thursday, September 07, 2006 10:42 AM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Commands for Limited Users

I much prefer authorization lists over groups.
Supplemental groups make
me shudder.  The overhead on them is tremendous.  A simple
SAVSYS went
from 4 minutes to 44 minutes when we tinkered around with
them.  IBM
dialed in and via PRTPVTAUT determined supplemental groups
to be the
culprit.  Besides, we had more supplemental groups than
you could put in
CHGUSRPRF SUPGRPPRF(...).  Lots of divisions, and then
each division had a
different software vendor between accounting and ERP.
When you have two
different divisions feeding two different fierce
competitors we had to
demonstrate a pretty solid line between the two.

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





"David Morris" <David.Morris@xxxxxxxxxxxxx>
Sent by: security400-bounces@xxxxxxxxxxxx
09/07/2006 01:30 PM
Please respond to
Security Administration on the AS400 / iSeries
<security400@xxxxxxxxxxxx>


To
"Security Administration on the AS400 / iSeries"
<security400@xxxxxxxxxxxx>
cc

Subject
Re: [Security400] Commands for Limited Users






Phil,

Adopted authority is nearly as outdated as limited
capability. It
doesn't work well with triggers or IFS files and is
incompletely
implemented. Adoption is ineffective in exits but based on
your message
you may have overcome some of the limitations I have run
up against. The
biggest reason to avoid adoption is that it is often
implemented
incorrectly and is frequently the source of serious
security problems.

A few years back, I started using a technique that gives
similar
function by swapping in or setting effective groups and
supplemental
groups.

--David Morris

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of
Phil Ashe
Sent: Thursday, September 07, 2006 10:09 AM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Commands for Limited Users

John:

...I have three basic problems with LMTCPB and commands.
1) It's obsolete in that it hasn't been updated to check
commands in
newer interfaces. [limited scope]
2) It's checked after the user has already been determined
to have
object authority to the command.
3) It's difficult to find the LMTCPB "violations". They
aren't placed in
the system audit journal. [more obsolescence]

...I would use adopted authority for access through the
expected
application interfaces and use proxy commands to limit the
use of EDTF
or DFU to well-defined views of the data, then take away
the data rights
to the file. The object authority is still checked on the
remote server
interfaces. If you need access to the file from one or
more remote
servers, you can use exit programs to give you this
authority...

Phil Ashe

_______________________________________________
This is the Security Administration on the AS400 / iSeries
(Security400)
mailing list
To post a message email: Security400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the
archives
at http://archive.midrange.com/security400.


_______________________________________________
This is the Security Administration on the AS400 / iSeries
(Security400) mailing list
To post a message email: Security400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the
archives
at http://archive.midrange.com/security400.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.