|
Thank you. I'll try to transplant some hair in to replace what is missing, and continue on!! :-) -----Original Message----- From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Patrick Botz Sent: Monday, September 11, 2006 2:22 PM To: Security Administration on the AS400 / iSeries Subject: Re: [Security400] Commands for Limited Users There is no one right answer. In fact, swapping has it's own limitations. For example, unless you're running under a user profile with *SECADM and *ALLOBJ, you have to have the password to the profile you're trying to swap to. Last time I checked, hardcoded passwords was also a bad idea. How does one avoid this issue? Adopted authority! The programs that need to swap to another profile can adopted that profile or a profile with *SECADM and authority to the profile before swapping to it! No password needed. Moral of the story: there is NO one right or wrong way. You have to use all of the tools in your toolbox. Just because there are some cases where you need a different tool, doesn't mean that there are no cases where it is the best tool. Authorization lists, groups, supplemental groups, adopted authority, and most importantly Object level Access control (to implement an exclusionary access control scheme) are all useful. The key is to pick the right tool for the right job. Object Level Security is NOT sufficient for implementing your security policy. It is NECESSARY, however, because it is the only way to implement an exclusionary access control mechanism. Exit point programs are very useful when they are used to ALLOW access when it would otherwise be denied. They cannot be used to DENY access which is otherwise allowed -- there are too many ways and interfaces that can be used to bypass a particular exit point. Patrick Botz Senior Technical Staff Member IBM Lab Services, Rochester Security Architecture & Consulting, i5/OS Security Architect (507) 253-0917, T/L 553-0917 CTC Fax # 507-253-2070 email: botz@xxxxxxxxxx For more information on CTC, visit our website at http://www.ibm.com/eserver/services http://www.ibm.com/servers/eserver/services security400-bounces@xxxxxxxxxxxx wrote on 09/07/2006 12:38:24 PM:
Well, isn't THAT special. We just went through a change making all programs that are submitted to adopt the owner's authority. So far so good. However, what is not so good is the "outdated" comment. Could you go into a little bit of detail about what you have done to not need adoption. I'm would like to picture what kind of effort would
be required to accomplish what it is you are talking about. -----Original Message-----
_______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/security400 or email: Security400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/security400.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.