Thank you. I'll try to transplant some hair in to replace what is missing, and continue on!! :-) -----Original Message----- From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Patrick Botz Sent: Monday, September 11, 2006 2:22 PM To: Security Administration on the AS400 / iSeries Subject: Re: [Security400] Commands for Limited Users There is no one right answer. In fact, swapping has it's own limitations. For example, unless you're running under a user profile with *SECADM and *ALLOBJ, you have to have the password to the profile you're trying to swap to. Last time I checked, hardcoded passwords was also a bad idea. How does one avoid this issue? Adopted authority! The programs that need to swap to another profile can adopted that profile or a profile with *SECADM and authority to the profile before swapping to it! No password needed. Moral of the story: there is NO one right or wrong way. You have to use all of the tools in your toolbox. Just because there are some cases where you need a different tool, doesn't mean that there are no cases where it is the best tool. Authorization lists, groups, supplemental groups, adopted authority, and most importantly Object level Access control (to implement an exclusionary access control scheme) are all useful. The key is to pick the right tool for the right job. Object Level Security is NOT sufficient for implementing your security policy. It is NECESSARY, however, because it is the only way to implement an exclusionary access control mechanism. Exit point programs are very useful when they are used to ALLOW access when it would otherwise be denied. They cannot be used to DENY access which is otherwise allowed -- there are too many ways and interfaces that can be used to bypass a particular exit point. Patrick Botz Senior Technical Staff Member IBM Lab Services, Rochester Security Architecture & Consulting, i5/OS Security Architect (507) 253-0917, T/L 553-0917 CTC Fax # 507-253-2070 email: botz@xxxxxxxxxx For more information on CTC, visit our website at http://www.ibm.com/eserver/services http://www.ibm.com/servers/eserver/services security400-bounces@xxxxxxxxxxxx wrote on 09/07/2006 12:38:24 PM:
Well, isn't THAT special. We just went through a change making all programs that are submitted to adopt the owner's authority. So far so good. However, what is not so good is the "outdated" comment. Could you go into a little bit of detail about what you have done to not need adoption. I'm would like to picture what kind of effort would
be required to accomplish what it is you are talking about. -----Original Message-----
_______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/security400 or email: Security400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/security400.
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.