× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Hopefully you now have had enough pointers to satisfy your immediate needs.
I know of multiple royal security messes with BPCS/400 and related risks,
some of which I am uncomfortable discussing details on-line. Ask me about
these if you interested, if consequences not immediately obvious. Hopefully
these true stories provide ideas for what might be worth checking. Some
where I worked, some at other places.

BPCS is embezzler-friendly.

When we do modifications to programs, within the source code we typically
include comments identifying what we did, for what purpose, impacting where
in the program, and who authorized this. Likewise it is smart to have a
document which can be given accounting auditors, explaining how come we are
doing some things which are outside the ERP audit trail standards. I have
several such documents. Uncle Milt has a manual specifically for accounting
auditors, identifying lots of things which can go wrong, through
misconceptions about BPCS.

Error messages are often responded to inappropriately. The default response
is more often than not, not the best response. However, management can
often ask for modifications to take response to error messages out of the
hands of users. This can be especially dangerous if there are error
messages associated with backups. Combine security not setup properly, for
person doing backups, error messages can't save what they not have authority
to save, and company no longer has proper backups, and not know it.

Where do you store backup tapes vs. computer room? I know of multiple
instances of an accidental company fire which destroyed both the computer
and the backups. Plus I know of a labor management dispute where a
disgruntled worker tried to have this happen accidentally on purpose.

Uncle Milt cited example of a clerk getting new job assignment, with
management insisting the clerk immediately get the new access, but no one
identifies what the clerk is no longer doing. Someone around long enough,
shifted around to different responsibilities, and you have a super-user.
Then we have a new hire, and IT is told to setup the new person with same
security as the super-user, without anyone reviewing whether the new hire
should have 100% the security that the super-user needed years ago.

Upper management insisted that a contractor get 100% of what they asked for
... IT protested, was overruled ... contractor changed QSYS and SSA to
master 400 security officers.

During a conversion, members of pilot team were shown all kinds of things.
Later during exit interview with one of the pilot team members, he
volunteered that one of the contractors had shown him master security
password (which we changed after the contractors left), which he had then
used to change his BPCS user id to master security to help him noodle around
where he was curious. That explained a lot of security hassles, which
previously had been a bit of a mystery.

During a conversion, there were some security hassles. Contractor
requested, IT protested, was over-ruled. Result was to continue the
conversion, with security un-installed. This was before IBM changed the
rules to put a lower platform on security levels.

A user made a call to tech support about a problem. Tech support told the
user how to use STRSQL from command line, to fix the problem. The user got
curious what else could be done with interactive SQL.

Management had insisted that everyone have access to everyone else reports,
so that one person can create reports, that another person then uses. A
senior accounting lady goes into computer room, locks the door while
printing what she thinks is highly confidential, but this peaks curiosity of
people to look in her spool file, so lots more people see the data than
would otherwise be the case.

In WRKSYSVAL you can setup a security audit to catch a variety of things
happening, that maybe is not good to be happening. The logs can be a pain
to navigate, but are well worth learning. I set this up for one thing, damn
near had a heart attack when I saw some other stuff happening.

If you run WRKSYSVAL with *PRINT, the report will identify all values that
are different than what comes from IBM out of the box.

When our accounting lady got sick, I got the assignment of using her PC to
do many of her daily chores. I was amazed to see she was receiving hundreds
of spam per day, some of it with attached viruses. I considered this a
serious security risk because same PC was being used for both Internet
banking and Internet e-mail. Previously I had tried to sell the company on
using KNUJON like I do, which means my spam went from serious to practically
non-existent. I had failed because I was told "Everyone gets spam, Al, get
over it." They would not believe that with KNUJON your spam goes to almost
zero.

A company with an AS/400 was hacked (thanks to a keylogger delivered via
fraudulent e-mail) and they made off with over $ 1 million. The FBI caught
a mule patsy, but after the $ was long gone.

Due to the seriousness of the economy going south, there was a freeze on all
payables except specifically for raw materials and utilities like rent.
This meant multiple months with no renewal for firewall or anti-virus
protection.

Due to economy going south, all managers asked to find ways to cut from
their department budget, so managers go around to their people asking for
suggestions. Staff of one dept show a manager how much $$$ is being spent
in another dept for stuff their dept is not privileged to have. Previously
senior accounting management was unaware that just about anyone could look
at General Ledger data, and understand it.

Some labor management disputes went seriously south. In one meeting, after
management representatives were talking about how bad the company was
financially, union reps showed green bar print-out with totally contrary
story, asked what else management reps might be lying about. IT was called
in to ask who could have leaked this kind of info, how to prevent future
leaks.

An IBM branch office had tons of security for anyone entering, especially
outside business hours. They were in an office building with false ceilings
contiguous with another business with poor security. Crooks broke into
neighbor business, climbed over false ceilings, totally bypassed IBM
physical security.

I know other stories about security disasters which do not directly apply to
BPCS or IBM.

-
Al Mac
-----Original Message-----
From: bpcs-l-bounces+macwheel99=wowway.com@xxxxxxxxxxxx
[mailto:bpcs-l-bounces+macwheel99=wowway.com@xxxxxxxxxxxx] On Behalf Of Pete
Helgren
Sent: Friday, October 01, 2010 12:23 PM
To: BPCS ERP System
Subject: [BPCS-L] Adding menu options

Brand new to a very old version of BPCS (it appears to be 4.05 CD?) I
was brought in on an emergency basis to a local company that had an
unanticipated change in IT resources. So am am scrambling a bit to help
them.

They wanted everyone to change their passwords and they have done so on
the Windows side of things but because some of the users have LMTCPB Y
on their user profiles they cannot change their passwords even though it
looks like they can get to a command line.

So the question is: How do I go about adding this as an option on menus
the users have access to within BPCS? Is there a program that controls
menu items and menus or is this something that requires so programming.
Or, is there a better way to handle this?

Any pointers would be helpful.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.