× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. September 2006

Re: Commands for Limited Users

Pat,

The point I was trying to make was that adopted authority has
limitations and has not been enhanced over the years to keep up with
modern applications. That means you have to start using newer techniques
like swapping. I started using swapping because the IFS, triggers and
exits can't propagate adopted authority. The newer APIs make swapping
easier but it is still more difficult than adopting. My guess is that
overall iSeries security has suffered because adoption didn't keep up
and swapping is not as easy as it could be.

--David Morris

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Patrick Botz
Sent: Monday, September 11, 2006 1:22 PM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Commands for Limited Users

There is no one right answer.  In fact, swapping has it's own
limitations.
For example, unless you're running under a user profile with *SECADM and
*ALLOBJ, you have to have the password to the profile you're trying to
swap
to.   Last time I checked, hardcoded passwords was also a bad idea.

How does one avoid this issue?  Adopted authority!  The programs that
need
to swap to another profile can adopted that profile or a profile with
*SECADM and authority to the profile before swapping to it!  No password
needed.

Moral of the story:  there is NO one right or wrong way.  You have to
use
all of the tools in your toolbox.  Just because there are some cases
where
you need a different tool, doesn't mean that there are no cases where it
is
the best tool.

Authorization lists, groups, supplemental groups, adopted authority, and
most importantly Object level Access control (to implement an
exclusionary
access control scheme) are all useful.  The key is to pick the right
tool
for the right job.

Object Level Security is NOT sufficient for implementing your security
policy.  It is NECESSARY, however, because it is the only way to
implement
an exclusionary access control mechanism.   Exit point programs are very
useful when they are used to ALLOW access when it would otherwise be
denied.  They cannot be used to DENY access which is otherwise allowed
--
there are too many ways and interfaces that can be used to bypass a
particular exit point.

Patrick Botz

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.