We might also point out that under these circumstances, the group profile(s) would essentially be the only user(s) entered on the authorization lists.
The links in the authority chain can be very concise this way. I'd be interested in how Rob's group profiles were set up so that they caused long save-times.
Tom Liotta john.earl wrote:
Rob, I don't believe Authority lists and Group Profiles are mutually exclusive, I think they are complimentary. The way we have always practiced (and preached) it is like this: Group Profiles are used to assemble users who do a similar function into a group. Authority lists assemble objects that should be secured similarly into an object group. The combination of the two provides for the most efficient way that I know of to secure individual objects in OS/400. You could choose to use just one or the other, but they are not mutually exclusive.-----Original Message----- From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of rob I much prefer authorization lists over groups. Supplemental groups make me shudder. The overhead on them is tremendous. A simple SAVSYS went from 4 minutes to 44 minutes when we tinkered around with them. IBM dialed in and via PRTPVTAUT determined supplemental groups to be the culprit. Besides, we had more supplemental groups than you could put in CHGUSRPRF SUPGRPPRF(...). Lots of divisions, and then each division had a different software vendor between accounting and ERP. When you have two different divisions feeding two different fierce competitors we had to demonstrate a pretty solid line between the two. "David Morris" Sent by: security400-bounces@xxxxxxxxxxxx Adopted authority is nearly as outdated as limited capability. It doesn't work well with triggers or IFS files and is incompletely implemented. Adoption is ineffective in exits but based on your message you may have overcome some of the limitations I have run up against. The biggest reason to avoid adoption is that it is often implemented incorrectly and is frequently the source of serious security problems. A few years back, I started using a technique that gives similar function by swapping in or setting effective groups and supplemental groups.
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.