Rob, I don't believe Authority lists and Group Profiles are mutually exclusive, I think they are complimentary. The way we have always practiced (and preached) it is like this: Group Profiles are used to assemble users who do a similar function into a group. Authority lists assemble objects that should be secured similarly into an object group. The combination of the two provides for the most efficient way that I know of to secure individual objects in OS/400. You could choose to use just one or the other, but they are not mutually exclusive. jte -- John Earl | Chief Technology Officer The PowerTech Group 19426 68th Ave. S Seattle, WA 98032 (253) 872-7788 ext. 302 john.earl@xxxxxxxxxxxxx www.powertech.com Celebrating our 10th Anniversary Year! This email message and any attachments are intended only for the use of the intended recipients and may contain information that is privileged and confidential. If you are not the intended recipient, any dissemination, distribution, or copying is strictly prohibited. If you received this email message in error, please immediately notify the sender by replying to this email message, or by telephone, and delete the message from your email system. --
-----Original Message----- From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx Sent: Thursday, September 07, 2006 10:42 AM To: Security Administration on the AS400 / iSeries Subject: Re: [Security400] Commands for Limited Users I much prefer authorization lists over groups. Supplemental groups make me shudder. The overhead on them is tremendous. A simple SAVSYS went from 4 minutes to 44 minutes when we tinkered around with them. IBM dialed in and via PRTPVTAUT determined supplemental groups to be the culprit. Besides, we had more supplemental groups than you could put in CHGUSRPRF SUPGRPPRF(...). Lots of divisions, and then each division had a different software vendor between accounting and ERP. When you have two different divisions feeding two different fierce competitors we had to demonstrate a pretty solid line between the two. Rob Berendt -- Group Dekko Services, LLC Dept 01.073 PO Box 2000 Dock 108 6928N 400E Kendallville, IN 46755 http://www.dekko.com "David Morris" <David.Morris@xxxxxxxxxxxxx> Sent by: security400-bounces@xxxxxxxxxxxx 09/07/2006 01:30 PM Please respond to Security Administration on the AS400 / iSeries <security400@xxxxxxxxxxxx> To "Security Administration on the AS400 / iSeries" <security400@xxxxxxxxxxxx> cc Subject Re: [Security400] Commands for Limited Users Phil, Adopted authority is nearly as outdated as limited capability. It doesn't work well with triggers or IFS files and is incompletely implemented. Adoption is ineffective in exits but based on your message you may have overcome some of the limitations I have run up against. The biggest reason to avoid adoption is that it is often implemented incorrectly and is frequently the source of serious security problems. A few years back, I started using a technique that gives similar function by swapping in or setting effective groups and supplemental groups. --David Morris -----Original Message----- From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Phil Ashe Sent: Thursday, September 07, 2006 10:09 AM To: Security Administration on the AS400 / iSeries Subject: Re: [Security400] Commands for Limited Users John: ...I have three basic problems with LMTCPB and commands. 1) It's obsolete in that it hasn't been updated to check commands in newer interfaces. [limited scope] 2) It's checked after the user has already been determined to have object authority to the command. 3) It's difficult to find the LMTCPB "violations". They aren't placed in the system audit journal. [more obsolescence] ...I would use adopted authority for access through the expected application interfaces and use proxy commands to limit the use of EDTF or DFU to well-defined views of the data, then take away the data rights to the file. The object authority is still checked on the remote server interfaces. If you need access to the file from one or more remote servers, you can use exit programs to give you this authority... Phil Ashe _______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/security400 or email: Security400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/security400. _______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/security400 or email: Security400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/security400.
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.