2 thoughts on “Protecting the Unrestricted from Impersonation”

  1. Hi Paul,

    Excellent post, as usual. Well done, Sir !
    I was thinking, it might be useful to have a specific ACT for protecting the Persons or Groups objects when they’re created (like the Portal ACT for Permissions Trees folders). Baseline, only sasadm (+sastrust) are protected through an explicit ACE, and your test proves this is not enough to ensure a thorough security.

    Cheers
    Ronan

  2. Thanks Ronan,

    A specific ACT sounds like a possibility. I once took the SAS supplied %MDUGRPAC macro (that applies an “ACT Securing Groups” ACT to all unsecured groups in SAS 9.1.3) and created a variation, %MDUACTAC, that was scheduled to automatically secure all new unsecured ACTs with an “ACT Securing ACTs” ACT. A similar approach could be used to schedule a job that automatically secures unrestricted user accounts with the ACT you suggest. The number and turnover of such accounts would normally be very small. You wouldn’t be doing it to save any time just to ensure a consistent security policy.

    Cheers
    Paul

Comments are closed.