I usually just use authorization lists, but we are a small company
user-wise.
But it would seem that a combination of group profiles and authorization
lists might be the way to go (though I have never tried it). You say your
group profiles are snafued, but if those are maintained properly, the
authorization list would not have to be changed (too often, anyway) if the
group's are maintained. I have read of companies that had a procedure that
called for HR to notify IT of these changes (whether it works or not was
never stated!).
That is, if Cyndi is part of the APGROUP, then the authorization list would
simply show APGROUP. Then, if Cyndi quits or gets transferred, change her
group to, say, ARGROUP, which gives her access to the AR files. One can, of
course, define multiple groups within AP/AR, such as APADMIN, APENTRY, etc.
The difficulty (for me, anyway) is structuring how to define the groups so
that Cyndi could have *Change authority on one object while the rest of the
group only has *Use authority, or vice versa. And this deviation may not be
consistent across all objects in the group's repertoire. That is, split
authorities within the group could start to make it somewhat complicated
since a user can only belong to one group. Which may be another reason why
I always stuck with the authorization lists. But that, too, can be a
headache in a larger organization than ours, but a little program could be
written to write all lists to an outfile for analysis.
In the end I doubt that there is a "one size fits all" (best practice).
Like they say, "It depends."
Jerry C. Adams
IBM i Programmer/Analyst
Between coffee breaks I tend to doze off.
--
A&K Wholesale
Murfreesboro, TN
615-867-5070
-----Original Message-----
From: midrange-l-bounces+midrange=usit.net@xxxxxxxxxxxx
[mailto:midrange-l-bounces+midrange=usit.net@xxxxxxxxxxxx] On Behalf Of
Cyndi Bradberry
Sent: Monday, August 15, 2011 9:23 AM
To: MIDRANGE-L@xxxxxxxxxxxx
Subject: Best Practices
Which is best, Authorization lists or Group Profiles ?
Years ago, we setup Group Profiles, assigned everyone to a group, and
assigned authority to the group. Of course, with people trading jobs,
they are all snafu'd.
I would like to know which way is the best way to restructure our
security.
Cyndi B.
Boise, ID
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.