This is a multipart message in MIME format.
--
[ Picked text/plain from multipart/alternative ]
I went to the Notes forum and asked a question about this.  Here's the
discussion:

Topic:



WRKDOMSVR works great for people with Godlike authority. However for other
people the status of the servers is UNKNOWN.

Fix:
>From the 5.0.11 iSeries release notes:

<quote>
To view the Domino server status on the WRKDOMSVR display, the user
profile must have *USE object authority to the QUSRNOTES library. To grant
authority to this library, use the command:
GRTOBJAUT OBJ(QSYS/QUSRNOTES) OBJTYPE(*LIB) USER(<user-profile-name>)
AUT(*USE)
</quote>

Question: Can anyone see a problem with putting the following steps in our
company's upgrade instructions?

...
WRKOBJ OBJ(QUSRNOTES) OBJTYPE(*LIB)
5=Display authority
If *PUBLIC has the authority of *EXCLUDE, then use
2=Edit authority
to change them to *USE
...

Does this open up some security holes?
**********************************************************
**********************************************************


First respose:
If you give *PUBLIC a *USE authority, it means everyone who can sign-on to
your iSeries can use the command. The WRKDOMSVR command is intended for
people who have business managing/monitoring your Domino server(s) from
the green screen. I'd go with granting specific user or group profiles
only. I guess the philosophy is - "If they don't need it, don't give it"
:-)
**********************************************************
**********************************************************

My response:
The scary thing is that without access to that library the average user -
with no special authorities:
can still do a WRKDOMSVR,
they can still use option 6 to stop a server,
they can still use option 1 to start a server.
They just can't see the status of the server. What security is that???


Comments please.


Rob Berendt
--
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
Benjamin Franklin


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.