× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. BPCS-L
  3. February 2005

Fix that SSA *Allobj Security Exposure!

Lisa,

It is NOT true that the SSA profile needs *Allobj. *User is just fine and I
know many many companies who run this way. The only reason a consultant
would tell you it needs *Allobj is when they want to use it (being lazy) for
installs and other programming stuff. Having this level of authority on the
SSA profile is a serious SECURITY EXPOSURE and you need to change it.

Unfortunately before you can change it you need to run through all of your
BPCS objects, both files and programs and workstation data areas etc, to
make sure they are owned only by the SSA profile. Sometimes when you have
too much authority on the system you end up with BPCS objects being owned by
QSECOFR, or by individuals, and then when you change back to no authority,
things fall over because users don't have authority to these objects. This
can happen especially when a BPCS user or an operator has SSA as group
profile but Owner as *Usrprf (it should be *Grpprf). The reason for having
the Group Profile own things is so that when that individual leaves you
don't have to go through and change the authority on all his objects.

So, to summarise, you need to check the ownership of all objects in all BPCS
libraries (all the libs that are in a user's library list), you can do this
with WRKLIBPDM and F21, then work with the lib (12) and again F21. This
prints the list of ownership.
Then change the ownership of any objects not owned by SSA. There is a really
good tool in the TAATOOLs for doing this (CHGLIBOWN) which will fix a whole
library - these are available from
here:
http://www.taatool.com/
Then when you are happy that everything is correct, change the SSA profile
to have only *User.
Some people needed Spool Control too, depending on how you have set this up.
Job Control may have been needed to run the X-Ref, but that is not an issue
at V6.

Of course this DOES NOT solve the problem of the users having all access to
all the BPCS files. To fix this you need help from someone like Unbeaten
Path (Batten down the Hatches product.)

Hope this helps,

Clare

Clare Holtham
Director, Small Blue Ltd - Archiving for BPCS
Web: www.smallblue.co.uk
IBM Certified iSeries Systems Professional
Email: Clare.Holtham@xxxxxxxxxxxxxxx

----- Original Message ----- 
From: <Lisa.Abney@xxxxxxxxxxxxxxxxx>
To: "SSA's BPCS ERP System" <bpcs-l@xxxxxxxxxxxx>
Sent: Wednesday, February 23, 2005 9:06 PM
Subject: Re: [BPCS-L] Sox&BPCS


> Genyphyr ...
>
> Interesting that you say that *ALLOBJ authority is NOT required ... even
> for 4.05 (non CD)?  (Technically, it's not that the user profile has
> *ALLOBJ authority ... we were instructed by SSA that the user profile has
> to have SSA as a group profile, and that profile has to have *ALLOBJ
> authority.)  I specifically asked that question of the SSA help desk about
> 9 months ago, and was told that, while there was a  BMR available for
> later versions, it was not available for our version (although we might be
> able to retrofit it to make it work, etc.).  That e-mail from the help
> desk is what I used to document for our auditors why our profiles are set
> the way they are.
>
> Lisa D. Abney
> Manager Development Support
> Sensient Technology
> Phone:  (317) 240-1418
>
>
>
>
>
> Genyphyr Novak <genyphyr.novak@xxxxxxxxxxxxx>
> Sent by: bpcs-l-bounces+lisa.abney=sensient-tech.com@xxxxxxxxxxxx
> 02/23/2005 02:52 PM
> Please respond to
> "SSA's BPCS ERP System" <bpcs-l@xxxxxxxxxxxx>
>
>
> To
> bpcs-l@xxxxxxxxxxxx
> cc
>
> Subject
> Re: [BPCS-L] Sox&BPCS
>
>
>
>
>
>
>
>
>
>
>
> Hello,
>
> I would like to mention: BPCS does NOT require any user to have *ALLOBJ
> authority to run the product. Even when it was recommended to use the SSA
> group profile for users enrolled in BPCS this was not true. Nor do we any
> longer require or recommend that the user enrolled in BPCS should have an
> SSA group profile for any currently supported version of the product
> including BPCS 4.05 CD. Be aware that any user can update BPCS data via
> use
> of their PC even if they do not have command line access by use of ODBC
> connections - so it is not secure if your AS/400 is linked to your PC
> network.
>
> There are BMRs out there (please see the archives for more on this topic)
> delivering recompiled KRSO objects so that User Profile *OWNER is used,
> and
> to secure the command line from adopting too much authority. These BMRs
> ship with README instructions explaining how to use the recompiled
> objects,
> along with an understanding and use of iSeries security features, in order
> to properly protect your BPCS data files.
>
> Thanks,
>
> Genyphyr Novak
> SSA GT R&D
>
> message: 2
> date: Tue, 22 Feb 2005 14:18:36 -0500
> from: Lisa.Abney@xxxxxxxxxxxxxxxxx
> subject: Re: [BPCS-L] Sox&BPCS
>
> Danny ...
>
> We passed our first Sarbanes Oxley audit in December with flying colors.
> It was a LOT of work, but the work was on the development side ... change
> control, developer access to objects, etc.  ... nothing to do with BPCS.
> (And we are on 4.05 ... not a particularly current version!)  The only
> thing they really questioned about BPCS was the fact that that release
> runs with users having all object authority, but once we documented for
> them that that was a requirement of the software, and that we control the
> risks by the other security features we have in place (users not having
> command line access, etc.), that was acceptable.  Is there something in
> particular your auditors are questioning, with regards to BPCS?
>
> Lisa D. Abney
> Manager Development Support
> Sensient Technology
> Phone:  (317) 240-1418-- 
> This is the SSA's BPCS ERP System (BPCS-L) mailing list
> To post a message email: BPCS-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/bpcs-l
> or email: BPCS-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/bpcs-l.
>
> Delivered-To: lisa.abney@xxxxxxxxxxxxxxxxx
>
> -- 
> This is the SSA's BPCS ERP System (BPCS-L) mailing list
> To post a message email: BPCS-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/bpcs-l
> or email: BPCS-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/bpcs-l.
>
> Delivered-To: Clare.Holtham@xxxxxxxxxxxxxx
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.