Add a new idea Subscribe
Status Under Review
Workspace Adabas for Linux and Cloud
Categories Adabas (ADA-Linux) RBAC Re-Hosting Security
Created by Andreas Heitzer
Created on Jul 13, 2021

RELATED IDEAS

[RBAC]: Authorization for Adabas LUW Utilities 

If activating the feature in adaauth.ini with parameter ACTION = YES the USER_ROLE in adarbac.ini using UserID = * 
is changed to the real Unix User and the utility adarep  (example: adarep dbid=3) gets error  
ADAREP-E-ACNOPERM, Security violation. Permission denied, even the Username is identical to the Unix Users entry.

We are expecting the "effective" user ID to be used for authorization purposes;
e.g. "ADA" - the value of getpwuid( geteuid() ).

The audit log shows that the name associated with the "current login activity" is being used for authorization purposes;
e.g. "andreas.heitzer" - the value of getlogin().
BACKGROUND INFORMATION
==========================================================

Processing Logic:
Authorization for Adabas Utilities uses as user ID for authorization purposes:

a) The name associated with the "current login activity"; e.g. "andreas.heitzer" - the value of getlogin().

b) When the name is not available, for example in batch, -
     the name associated with the "real" user ID of the process; e.g. the value of getpwuid( getuid() ).

The reasoning behind this processing logic, is the desire to ensure accountability; e.g. who is the "persona" executing the function.
LINKS:
---------
https://www.gnu.org/software/libc/manual/html_node/Process-Persona.html#Process-Persona
http://pubs.opengroup.org/onlinepubs/007904875/functions/getlogin.html

The Chapter "The Persona of a Process" in the The GNU C Library documentation states:

At any time, each process has an "effective" user ID, an "effective" group ID, and a set of "supplementary" group IDs.
These IDs determine the privileges of the process.
They are collectively called the persona of the process,
because they determine “who it is” for purposes of access control.
The description of the - getlogin() function from OpenGroup

APPLICATION USAGE
Three names associated with the current process can be determined:
getpwuid( geteuid() ) shall return the name associated with the __effective__ user ID of the process;
getpwuid( getuid() ) shall return the name associated with the __real__ user ID of the process.
getlogin() shall return the name associated with the __current log
---

28-06-2021: itrac number was wrong...

Use Case Re-Hosting
Created on Brainstorm 06.07.2017 04:38 pm
Brainstorm ID 4878
The Adabas & Natural by Software AG Ideas Portal is hosted by Aha! Labs Inc.. Therefore, personally identifiable information are processed by Aha! Labs Inc., a company based in the United States of America. By using this Ideas Portal you agree to the Terms of Service of Aha! Labs Inc.. For further information about Aha’s handling of your personally identifiable information, please go to: https://www.aha.io/legal/security/gdpr.