|
My .02: First, having many group profiles can cause significant overhead as the system needs to perform security checking for the users profile, then each group profile in order, until authority is granted or denied. If the lower profiles in the list are often used this is worst case. Generaly you should have the most frequently used near the top of the list. Second, I favor a profile that can access only what is needed at that time. Typically little or nothing for users, and source code and test data for programmers. Utilize Adopted authority (usually some kind of menu driver is the place) so that users only get authority when they are in the application. This prevents unplanned ODBC, FTP, CA, etc file transfers. One must consider that the AS/400 is much more connected now than it was 10 years ago! Programmers often require multiple profiles. I prefer that the profile used for testing against any production data doesn't have source access so that they cannot get into the bad habit of using that profile for general programming. Note that most programmers get cranky when they have any authority whatsoever removed but eventually they come around when they realize it's for their own protection. Some day when they are positive their *LIBL is correct (but they don't look) and they do CLRPFM somemasterfile and get 'Not Authorized to file somemasterfile in theproductionlibrary' they will stare at the message, take a deeeep breath, and thank you (though usually under their breath!) Similair messes can be made with STRSQL, STDDBU, STRDFU, and calling those quickie update programs we've all written. HTH - Larry "Graap, Ken" wrote: > > We are working on reviewing our AS/400's current security model > implementation. > > We have one system that supports both development and production > environments. > > Some user profiles are members in as many as 8-10 different group profiles. > > The question has come up... What if any, risk is associated with using > Supplemental Group Profiles in order to give a single user profile access to > multiple environments? Would it be better to have multiple user profiles, > one designed to access each different environment? > > An environment in this case would be defined a PRODUCTION, DEVELOPMENT, > STAGING, TRAINING etc. -- Larry Bolhuis | Arbor Solutions, Inc | IBM AS/400e - Get There First! (616) 451-2500 | (616) 451-2571 -fax | It's 10PM. Has your NT Server had it's lbolhuis@arbsol.com | theraputic re-boot yet today? +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
