And this is the point that leaves me confused about the whole "object
level security" promotion.  Most of the folks that I have heard promote
OLS as "the correct way" to do secure a System i, don't really mean OLS,
they mean "adopted authority".  But adopted authority has a serious
shortcoming that limits it's usefulness in the file systems that the
majority of new applications would use.
  

Yes.  No doubt.   It's not the ONLY solution for everything, just the 
one I would have used for the given example.  If the example was 
expanded and the users needed to download the file for example, the 
solution would have changed.

I think one should employee adopted authority when and where it makes 
sense.   One should also have object level authority with authorization 
groups where that makes sense (most everywhere, imo.)  One should also 
have one of these 3rd party solution with exit points on everything, and 
control down to groups who can use ODBC, which files they can access, 
and even what SQL commands they can perform.

One should also use the /new/ IBM client access authorities (iSeries 
navigator, Users and groups, /select one/, Capabilities - and then 
Applications and you're there.

Also should have auditing turned on both within IBM security auditing, 
the 3rd party products, and your own custom auditing which processes 
journals of file changes.  We journal EVERY file, including the IBM 
system files.  The only exception being some temporary work files which 
are immediately cleared.

For the IFS, you have WRKLNK and you can set authorities there.   The 
way the authorities work in the IFS really threw me for a loop as I was 
use to Novell's method of securing directory's.   I had to create a test 
profile to verify my security was actually doing what I wanted it to.  
It seemed counter intuitive to me, with regards of how the authorities 
flowed down the directory branches.

We also do the profile swapping thing.  (QSYGETPH)
http://www.itjungle.com/mpo/mpo071703-story02.html






http://www.primeinc.com
**********************************************************************
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to
whom they are addressed.  If you have received this email
in error please reply to the sender of the message.

The views expressed in this correspondence may not
reflect the views of Prime, Inc.

This footnote also confirms that this email message has
been scanned for the presence of computer viruses.
**********************************************************************

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.