2 thoughts on “Protecting the Unrestricted from Impersonation”

  1. Hi Paul,

    Excellent post, as usual. Well done, Sir !
    I was thinking, it might be useful to have a specific ACT for protecting the Persons or Groups objects when they’re created (like the Portal ACT for Permissions Trees folders). Baseline, only sasadm (+sastrust) are protected through an explicit ACE, and your test proves this is not enough to ensure a thorough security.


  2. Thanks Ronan,

    A specific ACT sounds like a possibility. I once took the SAS supplied %MDUGRPAC macro (that applies an “ACT Securing Groups” ACT to all unsecured groups in SAS 9.1.3) and created a variation, %MDUACTAC, that was scheduled to automatically secure all new unsecured ACTs with an “ACT Securing ACTs” ACT. A similar approach could be used to schedule a job that automatically secures unrestricted user accounts with the ACT you suggest. The number and turnover of such accounts would normally be very small. You wouldn’t be doing it to save any time just to ensure a consistent security policy.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.