|
Perhaps there was a misunderstanding. We use various profiles for various purposes. There is no correlation between the profiles and real people. It is not like we have a hire to full time do something that in reality is only needed once in a blue moon. One real person may use several profiles for different functions. Several real persons may have occasion to use one specialized profile for a specialized function, such as configuration of hardware hook up. The profiles are setup so that they can do that one function & not a heck of a lot else. A function is needed. Several people know about the profile that is used to do it. The only everyday tasks we have that require access to security sign-ons are those related to backup & new personnel at our site. Security sign-on is used only long enough to perform those tasks. The way BPCS 405 CD was written ... there are a lot of things that royally give the finger to IBM security standards & as much as possible we refrain from using those things. For example, I could not get XREF to work right so I called SSA Help Line ... turns out the only way it will work is by making 100% of our users into master security officers. I decided I did not want XREF that badly. Now thanks to MIDRANGE-L I have the equivalent ... via query I can find out what all calls some file or program & it is more user friendly than SSA XREF ever was. The ONLY time we use the second master security officer sign-on is when we are loading objects that SSA sent us via upgrades & BMR tapes. That second master security officer is part of the BPCS user group but not part of the menu structure. Usually when someone signs on, it takes them to the BPCS main menu where SSA security dictates what secondary menus & options they get to work with. In other words objects loaded from SSA BMR tapes become under the ownership of the person who loaded them & some need a higher authority than an ordinary user to do the actual tape to disk. If these objects need to be accessed by people who use BPCS, then the person who loads them needs to be within the same user group where 100% of our BPCS users are setup so that anything they create belongs to the SSA user group and anything that is in the group they can access, other security rules providing. One problem we found with security & how BPCS 405 CD is structured is that the moment someone in the BPCS user group signs on, it grabs access to some files, but there are jobs like INV900 that might bomb if there is a conflict for access to some files that they need dedicated access to. One scenario ... my boss the CFO is dialing in to his home PC from home to do end month work. I am in the office until INV900 is done with the tape drive, but because it is going to be running for a while, I am in the toilet reading my computer magazine's latest programming tips, when he phones in to see how it is doing. No answer from my office phone so he tries to sign on. If he signs on as a normal member of the BPCS user group it could crash INV900, so I have taught him to sign on as one of the standard IBM Q people & we have been careful not to entangle any of the standard IBM Q people with BPCS. If I cannot teach him & other executives that "If you can sign on to your PC then to 400 from home, then a hacker can pretend to be you" then I have a security risk that cannot be closed until a hacker teaches it to him with possibly catastrophic results this is one reason I have been telling them all about the Microsoft hack where a hacker did exactly that, broke into an employee's PC then went from there to being a trusted computer by Microsoft but it still has not yet penetrated to my management to realize that if this could happen to Microsoft it could certainly happen to us the only difference between M$ & us is M$ is a bigger target This relates to the topic of whether master security officer should be able to sign on from any place other than the main console, which is a separate issue from how many master security officer profiles are prudent. We have had troubles loading SSA tapes where it says this tape was created by a person called X on SSA's machine but our 400 does not have a person called X so we cannot restore the tape Simple solution, we take our second master security officer who was created for the sole purpose of restoring SSA tapes, and rename that person to now be called X I do not want to be changing the name QSECOFR MacWheel99@aol.com (Alister Wm Macintyre) (Al Mac) AS/400 Data Manager & Programmer for BPCS 405 CD Rel-02 mixed mode (twinax interactive & batch) @ http://www.cen-elec.com Central Industries of Indiana--->Quality manufacturer of wire harnesses and electrical sub-assemblies - fax # 812-424-6838 +--- | This is the BPCS Users Mailing List! | To submit a new message, send your mail to BPCS-L@midrange.com. | To subscribe to this list send email to BPCS-L-SUB@midrange.com. | To unsubscribe from this list send email to BPCS-L-UNSUB@midrange.com. | Questions should be directed to the list owner: dasmussen@aol.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
