Re: How to grant limited access to BPCS user? Query/400 -- BPCS-L

From Al Macintyre

>  From:    logic_km@hotmail.com (kha lid)
>  We have BPCS 405 CD version on AS/400.
 
We also

>  I want to give access of query/400 to my users. 
>  But I don't want them to see beyond their scope. 
>  For example sales department should not view GJD,GGM files etc.

And other departments should not view credit card bills of sales department 
business trips, and some folks get snippy about who should be subtracting 
cost of goods from dollars billed to get profit then divide by quantity 
shipped to get percentage profit & other interesting numbers.

But I think the really bad thing is when 
user-A creates a query that is flawed & giving out BAD DATA
user-B uses the data as gospel & not have any idea how to tell what not right

>  Since group profile of each user is SSA which is the owner of all BPCS 
>  objects including logical & physical files; hence it is not possible to 
>  restrict any user to see beyond its scope.
>  
>  I have many users and it is not possible for me to create new account 
(with 
>  limited access) for each user to restrict them with-in their scope.
>  
>  Any idea to over come this situation.

Quite simply our solution is to have some people WE TRUST to cooperate with a 
SECURITY POLICY, and we have some Query Definition Libraries that are NOT in 
the SSA library list ... there is some CL that adds the relevant query 
library temporarily to the library list, runs a string of queries, then 
removes the library, then ends.  The end user runs this off of a BPCS User 
Menu, in which the prefix to the job is in agreement with BPCS security.

I created a secondary security group for the trusted group of query creators, 
so that they would be easily able to copy queries between library lists of 
different environments, and get the right files adjusted in these moves ... 
God forbid that anyone might create a query linking 2 environments.

Queries that list the contents of General Ledger start with the letters GLD 
then they have some ALPHA characters so they won't conflict with anything 
from SSA, and by having GLD in front, only people who are authorized to run 
GLD stuff, by the SSA security, gets to run this Query.

For every ONE person whom we have trusted with programmer authority (needed 
to compile the CL) there are TEN persons running the Query/400 CL that they 
have created.

We also have more people who are competent at creating queries than we have 
who know all the stuff about getting the CL working good, and a large number 
who know how to add one of these CLs to the BPCS User Menu of choice, which 
of course we can limit through BPCS Security who allowed to do this, so 
basically we have enough people who are trusted to do certain things & get 
the job done, and a huge army of others actually using the queries but not 
having access to changing them, other than selection criteria at run time.

The only holes in this game plan are the numbers of people whose bosses 
insist that they have to have command line authority & the numbers of high 
level managers who are eager to dive into Query without first learning the 
rules ... no matter how often I tell these people that there is a certain 
risk naming their Query program with some name like INV300C or their query 
work file with the name BPCS uses for Item Master, they do not seem to get it.

We have been quite lucky so far, thanks to me forcing library list additions 
of queries to the bottom of the library list so any sabotage does not rise 
above the real thing.

Al Macintyre  ���
http://www.cen-elec.com MIS Manager Programmer & Computer Janitor
+---
| This is the BPCS Users Mailing List!
| To submit a new message, send your mail to BPCS-L@midrange.com.
| To subscribe to this list send email to BPCS-L-SUB@midrange.com.
| To unsubscribe from this list send email to BPCS-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: dasmussen@aol.com
+---