We might also point out that under these circumstances, the group profile(s) would essentially be the only user(s) entered on the authorization lists.

The links in the authority chain can be very concise this way. I'd be interested in how Rob's group profiles were set up so that they caused long save-times.

Tom Liotta

john.earl wrote:
Rob,

I don't believe Authority lists and Group Profiles are mutually
exclusive, I think they are complimentary.  The way we have always
practiced (and preached) it is like this:

Group Profiles are used to assemble users who do a similar function into
a group.  Authority lists assemble objects that should be secured
similarly into an object group.  The combination of the two provides for
the most efficient way that I know of to secure individual objects in
OS/400.

You could choose to use just one or the other, but they are not mutually
exclusive.

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of
rob

I much prefer authorization lists over groups.
Supplemental groups make
me shudder.  The overhead on them is tremendous.  A simple
SAVSYS went
from 4 minutes to 44 minutes when we tinkered around with
them.  IBM
dialed in and via PRTPVTAUT determined supplemental groups
to be the
culprit.  Besides, we had more supplemental groups than
you could put in
CHGUSRPRF SUPGRPPRF(...).  Lots of divisions, and then
each division had a
different software vendor between accounting and ERP.
When you have two
different divisions feeding two different fierce
competitors we had to
demonstrate a pretty solid line between the two.


"David Morris"
Sent by: security400-bounces@xxxxxxxxxxxx

Adopted authority is nearly as outdated as limited
capability. It
doesn't work well with triggers or IFS files and is
incompletely
implemented. Adoption is ineffective in exits but based on
your message
you may have overcome some of the limitations I have run
up against. The
biggest reason to avoid adoption is that it is often
implemented
incorrectly and is frequently the source of serious
security problems.

A few years back, I started using a technique that gives
similar
function by swapping in or setting effective groups and
supplemental
groups.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.