Joe Pluta wrote:
Ugh. This sounds perilously close to the "it's too hard so just grant QSECOFR" argument. But be that as it may...

The goal of a SCM system is to make managing the development & deployment of applications easier ... and having to grant the user profile, that the SCM function is running as, the necessary authorities can be a very difficult process. Most application managers don't have have the authority to assign the rights you describe.

PLUS, under 95% of Implementer's operation (normal user functions), it's using a much lower capability user profile. It only uses programs that adopt QSECOFR authority when it needs to manage objects or object authorities.

Have you tried password *NOPWDCHK? You only need *USE authority to the profile. (And of course, there's always the old standby of simply submitting a job under that user profile. If you have *USE authority, you can do that no problem.)

Same reason as above.

Well, as it happens, we use Implementer to manage the development of
Implementer ... and, yes, we have to manage programs that adopt QSECOFR
authority :)
I understand that, but my point is that the requirements for managing security objects should not then require the same procedures apply to non-security objects. Specifically, programs that are owned by QSECOFR should follow a special path.

Sure, but the same programs that move the QSECOFR owned objects along the special path are used to move normal objects along a normal path. Which authorities are used?

And of course, we're still discussing an SCM system, which as you state is closer to a system function than an application. However, I still think that just because you sometimes need QSECOFR, that shouldn't require you to need it all the time.

No argument ... Implementer only adopts QSECOFR authority when it absolutely needs to. 95% of the time it's operating as a lower level user profile (*PGMR capability, I think, I'm not 100% sure).

david


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.