On 8/27/07, Graves Nora E <[EMAIL PROTECTED]> wrote: > We use LOGONBY to be able to log onto a test user whose profile has > nothing but class G authority. It's great to be able to do final > testing to make sure that the final users have access to all necessary > functions. Changing the privileges by default might negate some of > those results.
I think your scenario would still be safe with what Alan suggested. During your test you would have the privileges of the target only. Your scenario would only break when Alan had proposed "reverse inheritance" or "sideways inheritance" of privileges (the person who logged on to TESTABC could also have chosen to logon to TCPMAINT, so let's now give TESTABC the authorisation that TCPMAINT would have had). A somewhat similar problem is with the altuser implementation when the target gets the combined authorisation of the worker machine and the owner of the job. Rob