× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



This whole discussion thread was making me nervous!  So I checked out my SSA 
user profile.  The User Class is *USER and special authorities are *JOBCTL and 
*SAVSYS.  That's it.

We are on V6.04.

Norman Boyd
Showa Aluminum Corp. of America

>>> darrylfrankel@xxxxxxxxxxxxxxxxx 02/24/05 05:31PM >>>
Matters are different when accessing the database using tools such as ODBC
drivers.

In this instance, you may be advised to:
- Revoke all authorities and simply grant authority to a single group
profile with all rights required to run BPCS such as SSA. ALLOBJ authority
is not required at all.
Change your initial program such as BPCSMENU to adopt the owner's authority.
In this manner when you sign on, you will not have access to BPCS, until the
user has passed BPCS Security, under program control starting with the
initial program BPCSMENU.

- Create a new user profile for ODBC users to sign on with. This user should
then at most have READ rights only to BPCS data libraries. In some shops,
you may want to restrict the access to a few files only.

Darryl Freinkel
Assignment400.com


-----Original Message-----
From: bpcs-l-bounces+darrylfrankel=assignment400.com@xxxxxxxxxxxx 
[mailto:bpcs-l-bounces+darrylfrankel=assignment400.com@xxxxxxxxxxxx] On
Behalf Of DeeDee Virgei
Sent: Thursday, February 24, 2005 3:35 PM
To: SSA's BPCS ERP System
Subject: RE: [BPCS-L] Fix that SSA *Allobj Security Exposure!

Hi,

Removing *ALLOBJ authority (or changing it to *USER) does not resolve the
issue w/ ODBC and some other PC software; if you have all your users w/ SSA
group profile then you are still at risk.  Keep in mind Genyphyr's statement
"Nor do we any longer require or recommend that the user enrolled in BPCS
should have an SSA group profile for any currently supported version of the
product..."   If my memory serves me correctly,  the general solution to
this problem is to perform a few steps:
1st (and most relevant)  set all BPCS program's USRPRF setting to *OWNER and
I believe USEADPAUT setting to *YES (can change w/ CHGPGM command).  
2nd verify all BPCS objects are owned by SSA (if not, can change w/
CHGOBJOWN command or use TAATOOL as suggested - should have shipped this
way).
3rd for all BPCS files, verify SSA authority is set to *ALL (should have
shipped this way), and *PUBLIC authority is set to either *USE or *EXCLUDE
depending on how much access you want your users to have outside of BPCS and
the green screen (I believe shipped w/ *CHANGE, can change w/ GRTOJBAUT
command).            

The final step is to start removing SSA Group profile from your users'
profiles...  I've really over simplified this fix.  First off, you won't be
able to change all the BPCS programs in the 1st step due to the attribute
settings on some security programs.  That is where OGS comes in play;
support can send you these programs w/ the *OWNER setting.  Although I'm
still not sure what releases they will do this with...  A work-around is to
change BPCSMENU (the BPCS startup program [CLP]), add "CHGGRPA GRPJOB(SSA)".
This will provide you w/ traditional green screen security where users have
SSA authority, but are limited due to the "Limit capabilities *YES" setting
in their profile.  Since this added command only changes the interactive
session authority, ODBC and other PC software should not be a threat...  A
few last points, you will have to adjust file authority (3rd step) if you
have other programs/applications that run on the iSeries or other platforms
updating BPCS files; !
 possibly add additional group authority.  BPCS programs (1st step) includes
modified and out-of-the-box programs.  File authority (3rd step) also
applies to non-BPCS files used by modified BPCS programs.  Hope this helps.
I've gathered this info from the archives...

DeeDee Virgei
Project Leader

Nelson Stud Welding, Inc.    

 -----Original Message-----
From:   bpcs-l-bounces+deedee.virgei=nelsonstud.com@xxxxxxxxxxxx 
[mailto:bpcs-l-bounces+deedee.virgei=nelsonstud.com@xxxxxxxxxxxx]  On Behalf
Of Clare Holtham
Sent:   Thursday, February 24, 2005 4:36 AM
To:     SSA's BPCS ERP System
Subject:        Re: [BPCS-L] Fix that SSA *Allobj Security Exposure!

But Tay,

It works as shipped. In other words, the SSA Group Profile (which is not
shipped as *Allobj, or never was) owns all the BPCS objects, and all the
BPCS users are members of that group. *Allobj is a red herring and is not
required. In Europe we (when I was with SSA) have always created a secondary
profile called SSALOAD which DOES have *Allobj, AND is a member of the SSA
group profile (which only needs *USER), and has owner *GRPPRF. This profile
can be used for installing BPCS, for installing PTFS, for creating new BPCS
environments, etc etc. It is because some consultants have used the SSA
group profile to do these jobs that it has been left on customer boxes with
*ALLOBJ.

cheers,

Clare

Clare Holtham
Director, Small Blue Ltd - Archiving for BPCS
Web: www.smallblue.co.uk 
IBM Certified iSeries Systems Professional
Email: Clare.Holtham@xxxxxxxxxxxxxxx 

----- Original Message ----- 
From: <tay@xxxxxxxxxxxxx>
To: "SSA's BPCS ERP System" <bpcs-l@xxxxxxxxxxxx>
Sent: Thursday, February 24, 2005 9:13 AM
Subject: Re: [BPCS-L] Fix that SSA *Allobj Security Exposure!


>
> I am using 4.5CD version BPCS, my idea are same as what SSA
suggest(Profile
> *ALLOBJ). Otherwise, you need to individual(or group) define BPCS files
> authority use right and also need to study the individual user run
programs
> related files and individual grant the authority right accordingly.
Imagine
> that if you have over hundred of users and each user have to run
> different(or same) programs(such as ORD500,ORD600, PUR500, INV500 and etc)
> and something the user was quit and replace new user.
> It will make you crazy !!
>
> >From :Tay
>
> -- 
> This is the SSA's BPCS ERP System (BPCS-L) mailing list
> To post a message email: BPCS-L@xxxxxxxxxxxx 
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/bpcs-l 
> or email: BPCS-L-request@xxxxxxxxxxxx 
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/bpcs-l.
>
> Delivered-To: Clare.Holtham@xxxxxxxxxxxxxx 
>


-- 
This is the SSA's BPCS ERP System (BPCS-L) mailing list
To post a message email: BPCS-L@xxxxxxxxxxxx 
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/bpcs-l 
or email: BPCS-L-request@xxxxxxxxxxxx 
Before posting, please take a moment to review the archives
at http://archive.midrange.com/bpcs-l.

Delivered-To: deedee.virgei@xxxxxxxxxxxxxx 



-- 
This is the SSA's BPCS ERP System (BPCS-L) mailing list
To post a message email: BPCS-L@xxxxxxxxxxxx 
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/bpcs-l 
or email: BPCS-L-request@xxxxxxxxxxxx 
Before posting, please take a moment to review the archives
at http://archive.midrange.com/bpcs-l.

Delivered-To: darrylfrankel@xxxxxxxxxxxxxxxxx 


-- 
This is the SSA's BPCS ERP System (BPCS-L) mailing list
To post a message email: BPCS-L@xxxxxxxxxxxx 
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/bpcs-l 
or email: BPCS-L-request@xxxxxxxxxxxx 
Before posting, please take a moment to review the archives
at http://archive.midrange.com/bpcs-l.

Delivered-To: nboyd@xxxxxxxxxxxxxxxxx


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.