• Subject: Re: Op's nav - Graphical UPDDTA
  • From: John Earl <johnearl@xxxxxxxxxxxxxxx>
  • Date: Tue, 28 Mar 2000 21:09:35 -0800
  • Organization: The PowerTech Group

Colin,

I have to ask...

Colin McNaught wrote:
> 
>      Rob,
> 
>      Turning off the Database portion of Operations Navigator will not
>      resolve this glaring security breach. If someone wants to get to your
>      database they don't need to use Operations Navigator, ftp, file
>      transfer or even windows explorer will do the job just as easily.
>      The only safe way is to use object security.

Is this realistic?   Has anyone actually implemented an object
authority scheme that will allow access from the green screen,
restrict access from the network, and still prevent inappropriate
data changes and data disclosure?  I mean if you give someone
*CHANGE authority to the ORDER file so that they can add, change,
and delete records from an RPG program, how do you prevent them
from doing the same thing from MS Excel & ODBC?  Your RPG has all
sorts of edits in it that validate fields (only 50 valid state
values), restrict values (you cannot discount an order more than
10%), and restrict disclosure (you can only see orders you
entered).  How do you _really_ do that with "Object Authority"?

I do know that you can get closer to this ideal using some
variation of Applicaiton Only Access (adopted authority).  AOA is
real good at restricting access, but less so at providing any sort
of access from outside the application.  (Example: With AOA, how
do you provide ability to view transactions with a VB application,
but restrict the ability to download the entire file with FTP?) 
Still AOA is a fairly good solution if you wrote the application. 
It's much harder to impose on a vendor application.

Like many who have studied the issue, I believe that object
Authority is a wonderful thing.  I just don't know anyone who has
successfully and completely deployed it.  (OK a disclaimer is in
order.  As many of you already know, we sell an Exit Point Program
solution that gaurds against data access from the network, so I'll
admit to being more than a little biased.)   It's just that for
years I have been listening to people say that "object authority"
is the silver bullet, but no-one seems to know where the gun is
that could actually fire that bullet.  :(

If I'm mistaken here, I'd sure like to be enlightened on this
point.

jte

--
John Earl                               johnearl@400security.com
The PowerTech Group                     206-575-0711
PowerLock Network Security              www.400security.com
--
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.