Thanks Rob for the explanation.
 


________________________________
From: "rob@xxxxxxxxx" <rob@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Sent: Monday, 8 July 2013 1:09 PM
Subject: Re: Group Profiles


Group profiles and authorization lists are attempts to simplify security
planning.  They are both built to solve some of the complexity of security
planning but achieve this with different techniques.

A user can belong to one primary group profile and any number of secondary
group profiles.  Using a group profile instead of individually listing
each user who may use a particular object allows you to add new users to
that object by simply adding them to that group.  Adding a new user
directly to that object may require that the object not be in use.  Which
can be hard, if not next to impossible, for some objects.  Group profiles
may also give you access to certain "special authorities".  This is
something to be aware of.  For example, if you buy a software package from
XYZ and every object in there is owned by XYZUSER you may think "let's
make that the group profile (or a supplemental group profile) for ever
user who uses the package XYZ.  But, if you find out that XYZUSER has
*ALLOBJ or *SECADM then you've just given that authority to all those
users also.  This may have unintended consequences (some may call this an
understatement).
Group profiles and supplemental group profiles can go to extremes and may
be some load on your system.  PRTPRFINT may show the interaction consuming
quite a bit of space.  I've seen a SAVSYS go from 4 minutes to 44 minutes
based on this alone.

An alternative is authorization lists.  Again, you assign an authorization
list to an object or objects.  A user can be assigned to any number of
authorization lists.  Different users on the same authorization list may
have different access.  For example MRSPGMR may have *ALL and JUSTAUSER
may *USE to programs within a program only library.  You can add/change
users on an authorization list without getting a lock on the object.  You
may need the lock to initially assign the authorization list to that
object.  You can run the CHGLIB command to initially assign an
authorization list to any object created within that library.  Special
authorities are not adopted like they are with group profiles.


Rob Berendt

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.