1.  Home
  2. MIDRANGE-L
  3. April 2008

RE: Anti-virus for i5OS

So you would want 5722XE1, iSeries Access for Windows installed under
a profile other than QSECOFR? The same thing for Query Manager and
TCP/IP connectivity Utilities? Seems way overboard to me.

Absolutely, I don't know that any of these specifically require use of
the QSECOFR profile. RSTLICPGM only requires *SECADM and *ALLOBJ
authority.

I guess my confusion comes from the fact that the only profile with
*ALLOBJ on our system is QSECOFR. That will be the only usable profile
ever on our system to have *ALLOBJ. Hence we load licensed programs with
QSECOFR. If you load a package with another profile that has *ALLOBJ,
you've given them access to QSECOFR anyway, right?

That's quite a different question from what the licensed program, or third
party package, runs under. I've had my fun battles with an EDI package
and a spool management software package that seem overly enamoured with
running under a profile with *ALLOBJ. In cases like these you normally
end up knowing more than the vendor's help desk about how their security
works. Amazing how many people get totally confused by the fact that you
want to change one of their programs to run as *USER and can't because the
program doesn't have the needed data to be changed without recompiling.

In the past some software vendors would require the use of the QSECOFR
profile for installation, then immediately copy it to the profile that
owns all their objects. Then their helpdesk could have QSECOFR access
without having to ask you for it. Once you give up the control they can
do anything they want, like using a profile of ABC123 with a password of
ABC123.

How would they access your system without your knowledge? For the EDI
package that I'm saddled with, the user profile was disabled and only very
limited communications was allowed to the package. While it took
continuing work to get excess authorities of the owning profile removed, I
was fairly confident that nobody was using it without my knowledge. I may
be wrong (wouldn't be the first time....).

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.