Thank you. I'll try to transplant some hair in to replace what is
missing, and continue on!! :-) 

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Patrick Botz
Sent: Monday, September 11, 2006 2:22 PM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Commands for Limited Users

There is no one right answer.  In fact, swapping has it's own
limitations.
For example, unless you're running under a user profile with *SECADM and
*ALLOBJ, you have to have the password to the profile you're trying to
swap
to.   Last time I checked, hardcoded passwords was also a bad idea.

How does one avoid this issue?  Adopted authority!  The programs that
need to swap to another profile can adopted that profile or a profile
with *SECADM and authority to the profile before swapping to it!  No
password needed.

Moral of the story:  there is NO one right or wrong way.  You have to
use all of the tools in your toolbox.  Just because there are some cases
where you need a different tool, doesn't mean that there are no cases
where it is the best tool.

Authorization lists, groups, supplemental groups, adopted authority, and
most importantly Object level Access control (to implement an
exclusionary access control scheme) are all useful.  The key is to pick
the right tool for the right job.

Object Level Security is NOT sufficient for implementing your security
policy.  It is NECESSARY, however, because it is the only way to
implement
an exclusionary access control mechanism.   Exit point programs are very
useful when they are used to ALLOW access when it would otherwise be
denied.  They cannot be used to DENY access which is otherwise allowed
-- there are too many ways and interfaces that can be used to bypass a
particular exit point.

Patrick Botz
Senior Technical Staff Member
IBM Lab Services, Rochester
Security Architecture & Consulting, i5/OS Security Architect
(507) 253-0917, T/L 553-0917
CTC Fax # 507-253-2070
email: botz@xxxxxxxxxx

For more information on CTC, visit our website at
http://www.ibm.com/eserver/services
http://www.ibm.com/servers/eserver/services


security400-bounces@xxxxxxxxxxxx wrote on 09/07/2006 12:38:24 PM:

Well, isn't THAT special. We just went through a change making all 
programs that are submitted to adopt the owner's authority. So far so 
good. However, what is not so good is the "outdated" comment.

Could you go into a little bit of detail about what you have done to 
not need adoption. I'm would like to picture what kind of effort would

be required to accomplish what it is you are talking about.

-----Original Message-----


_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400)
mailing list To post a message email: Security400@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at
http://archive.midrange.com/security400.



As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.