× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. September 2006

Re: Commands for Limited Users

There is no one right answer.  In fact, swapping has it's own limitations.
For example, unless you're running under a user profile with *SECADM and
*ALLOBJ, you have to have the password to the profile you're trying to swap
to.   Last time I checked, hardcoded passwords was also a bad idea.

How does one avoid this issue?  Adopted authority!  The programs that need
to swap to another profile can adopted that profile or a profile with
*SECADM and authority to the profile before swapping to it!  No password
needed.

Moral of the story:  there is NO one right or wrong way.  You have to use
all of the tools in your toolbox.  Just because there are some cases where
you need a different tool, doesn't mean that there are no cases where it is
the best tool.

Authorization lists, groups, supplemental groups, adopted authority, and
most importantly Object level Access control (to implement an exclusionary
access control scheme) are all useful.  The key is to pick the right tool
for the right job.

Object Level Security is NOT sufficient for implementing your security
policy.  It is NECESSARY, however, because it is the only way to implement
an exclusionary access control mechanism.   Exit point programs are very
useful when they are used to ALLOW access when it would otherwise be
denied.  They cannot be used to DENY access which is otherwise allowed --
there are too many ways and interfaces that can be used to bypass a
particular exit point.

Patrick Botz
Senior Technical Staff Member
IBM Lab Services, Rochester
Security Architecture & Consulting, i5/OS Security Architect
(507) 253-0917, T/L 553-0917
CTC Fax # 507-253-2070
email: botz@xxxxxxxxxx

For more information on CTC, visit our website at
http://www.ibm.com/eserver/services
http://www.ibm.com/servers/eserver/services


security400-bounces@xxxxxxxxxxxx wrote on 09/07/2006 12:38:24 PM:


Well, isn't THAT special. We just went through a change making all
programs that are submitted to adopt the owner's authority. So far so
good. However, what is not so good is the "outdated" comment.

Could you go into a little bit of detail about what you have done to not
need adoption. I'm would like to picture what kind of effort would be
required to accomplish what it is you are talking about.

-----Original Message-----

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.