Security Experts, In order to provide a more flexible security structure, I am interested in swapping group profiles. I have heard that this is possible, but my tests indicate that you must also swap the base profile. Is this true? If it is not possible to swap groups without swapping the main profile what would be some other options? I am looking for a good replacement for adoption that covers all file systems and job types. David Morris
Unconfigured Ad Widget
Collapse
Announcement
Collapse
No announcement yet.
Swapping group profile
Collapse
X
-
Swapping group profile
I found a way to swap groups, but when I release the profile handle the group authority "sticks" until I sign off. I haven't spent enough time researching this, but it is interesting if my test is valid. What I did was retreive my group profile, change my group profile to the one I wanted to adopt, get a handle to my profile, swap, change my profile back, test my authority (it works), release the profile handle, (surprise it still works). When I sign off and back on my authority is restored. Shouldn't releasing the profile restore the authority? David Morris
-
Swapping group profile
David, I don't think so because you never really release the profile... you just release the profile handle. (And as near as I can tell, releasing a profile handle simply makes it un-usable... which happens anyway when the job ends.) In order to return to your original authority, I believe that you'll have to reverse the process and swap yourself back to yourself (with your original group profile). HTH jte MC Security Editor
Comment
-
Swapping group profile
Hi David, In order to make it work you should retrieve your current profile handle prior to the changes you make, then retrieve the handle of the changed profile. Next set the new profile handle and do whatever you need to do with your temporary group profile authority. Finally set the original profile handle, release the new profile handle and then also release the original profile handle. The OS/400 API Appendixes V4R3, appendix A.19 has some more information about the use of profile handles. Wayne O. Evans published a SETGRPPRF command in the May 1994 issue of MC - the article describing the command has some interesting details about the implementation of the scheme you're working on. Best regards, Carsten Flensburg
Comment
-
Swapping group profile
David, If you are using a V4R5 system you may want to look at the qsysetgid() - Set Group ID API. This API allows you to change just the group profile of your thread/job. Documentation can be found at: http://publib.boulder.ibm.com/pubs/h...info/index.htm If you want to change just the user profile but not the group then you can use the qsysetuid() - Set User ID API. There are restrictions on what user profiles and group profiles can be set with these API so be sure to read their documented Error Restrictions. Ed Fishel
Comment
-
Swapping group profile
Thanks Guys, At least it sounds like I am on the right track. The plan is to register an exit program that will swap back. Other than propogating authority in cases where adoption is lost, what other holes have I opened? I should have that magazine in my office. I did look at the new API which would work better because I it appears to be more light weight but this has to work on a V4R4 system for a short while. David Morris
Comment
Comment