Tom:

If we use the InfoCenter as the arbiter, then adopted authority relates
only to the use of the use adopted authority (USEADPAUT) parameter and
can be validated through the DSPPGMADP command. We shouldn't try to
confuse swap profile functionality with adopt authority functionality.
Currently, the operating system tools for managing authority adoption
can't be used to manage profile swapping.

Phil Ashe
NetIQ (A division of Attachmate)
1233 West Loop South, Suite 1800 | Houston, TX 77027 USA
713.418.5279 phone
phil.ashe@xxxxxxxxxxxxxx
www.netiq.com  

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of
qsrvbas@xxxxxxxxxxxx
Sent: Thursday, September 07, 2006 5:06 PM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Commands for Limited Users

David.Morris wrote:

In your original message you said:

"I would use adopted authority for access through the expected 
application interfaces and use proxy commands to limit the use of EDTF

or DFU to well-defined views of the data, then take away the data 
rights to the file. The object authority is still checked on the 
remote server interfaces. If you need access to the file from one or 
more remote servers, you can use exit programs to give you this
authority."

I took that to mean that you used adopted authority in your exit 
program but it sounds like you are actually swapping or setting the 
effective user, which is the approach I use in all cases where I used 
to use adoption. There are some other steps you need to take like 
register exits to back out the authority to mimic adoption.

Now there's an interesting point to discuss...

One item that is needed is a clear agreement on terms. "Adopted
authority" is used in ways that seem to mean different things to
different people at different times. I have had a personal understanding
that limits its meaning, and maybe others could comment so that a
consensus is reached and available.

To me, "adopted authority" refers specifically to the authority gained
by a program that has the USRPRF(*OWNER) attribute set. It does _not_
refer to any authority resulting from the use of any profile-switching
APIs. "Adopted authority" becomes active when, within the program, an
object access is attempted and the job current user does not have
sufficient authority but (1) the program USRPRF(*OWNER) attribute is set
and (2) the program owner does have sufficient authority.

One result is that the USEADPAUT(*YES/*NO) program attribute _only_
affects the authority gained within a higher program in the call stack
by the above mechanism. It has no effect on authority gained by a
profile switch from any API because that isn't "adopted authority".

Anybody have modifications (or direct corrections) to add?

Tom Liotta

--
Tom Liotta
The PowerTech Group, Inc.
19426 68th Avenue South
Kent, WA 98032
Phone  253-872-7788 x313
Fax    253-872-7904
http://www.powertech.com
_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400)
mailing list To post a message email: Security400@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at
http://archive.midrange.com/security400.



As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.