|
Phil,
John: Your opinion is valid. There are many shops that haven't crafted a complete plan to access the resources on their servers.
[jte] Thanks for validating my opinion - I guess that should mean a lot to me. <g> I would also opine that rather than saying "There are many shops that haven't crafted a complete plan to access the resources on their servers", a more accurate statement would be "There are precious few shops that have crafted a complete plan to access the resources on their servers." I've had a standing offer for a couple of years now for someone to submit a detailed object level security scheme to this list, but I haven't seen one yet. Heck, I'd be happy (and amazed) just to see one from an business application vendor - but haven't seen one of those either. Maybe I'm just a bit jaded, but I am beginning to suspect that there isn't a single shop out there that does OLS across their entire application set the way we all want to believe it could/should be done.
I have three basic problems with LMTCPB and commands. 1) It's obsolete in that it hasn't been updated to check commands in newer interfaces. [limited scope]
[jte] Well, they did update FTP in V4R2 to reject commands from limited capability users (but you already knew that, right?), but I think your larger point on this issue still stands.
Anyway, let's talk about the Inventory Master. By giving a user *CHANGE rights to the master file, you give them rights to the file in all interfaces. The user can get at the file through EDTF/DFU or Excel, as well as the expected application interfaces. I would use adopted authority for access through the expected application interfaces and use proxy commands to limit the use of EDTF or DFU to well-defined views of the data, then take away the data rights to the file. The object authority is still checked on the remote server interfaces. If you need access to the file from one or more remote servers, you can use exit programs to give you this authority.
[jte] Phil, I think this just proves my earlier point, OLS is a good starting point, but when it comes down to brass tacks, you have to augment OLS with something like Adopted Authority or exit programs or application controls or???, otherwise it ends up just not being granular enough. As someone stated earlier (was it Edwin?) there is no silver bullet to OS/400 security. You have to augment it with other approaches, otherwise you'll find that it is not practical to get where you want to go. jte -- John Earl | Chief Technology Officer The PowerTech Group 19426 68th Ave. S Seattle, WA 98032 (253) 872-7788 ext. 302 john.earl@xxxxxxxxxxxxx www.powertech.com Celebrating our 10th Anniversary Year! This email message and any attachments are intended only for the use of the intended recipients and may contain information that is privileged and confidential. If you are not the intended recipient, any dissemination, distribution, or copying is strictly prohibited. If you received this email message in error, please immediately notify the sender by replying to this email message, or by telephone, and delete the message from your email system. --
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
