× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MAPICS-L
  3. December 2004

Re: MAPICS - need info on the AMAPICS user profile

Regarding AMAPICS, adding that to users gives them complete access to the
mapics files.  I see this as being akin to *allobj.  I have never given
these types of rights to users unless absolutely necessary.  Prior to
Sarb-Ox, I had it as my group and would have my objects created with group
(i.e. AMAPICS owned all the programs I compiled and I would change the
program to *owner).  Now with Sarbanes, my profile has restrictions and I
had to take out AMAPICS and I don't have access to the files, but I still
need to program.  What I did for myself (and others) is create a group
called @fileuser and gave this group *use rights to the mapics files.  This
was my work around for giving some "power" users query capabilities and
allowing myself to get copies of the files for program testing.


----- Original Message ----- 
From: "Kevin Fox" <kdfox@xxxxxxxxxxxxx>
To: <mapics-l@xxxxxxxxxxxx>
Sent: Wednesday, December 29, 2004 7:40 PM
Subject: RE: MAPICS - need info on the AMAPICS user profile


> Dave,
>
> I'm with you on this one.  So please, rant away!
>
> It is still amazing to me how many MAPICS sites do not understand the
MAPICS security methodology.  This is not meant to offend anyone, but if you
don't know this your just asking for trouble.
>
> It's like the CEO who asked me to evaluate his security system now that
they were on the Internet.  They had purchased MAPICS about 2 years prior
and were just know linking the AS/400 data to web inquiries.
>
> I walked up to a PC and logged into the AS/400 with QSECOFR and the
default password!!
>
> (Note: This was about 3 years ago before IBM forced a change to the
password.)
>
> I turned to the CEO and said "I will 100% guarantee that your companies
systems WILL be hacked."  He looked shocked.  I told him that it was obvious
that their IT department did not have even rudimentary security policies in
place.
>
> These shops that don't understand the basics are the same shops that allow
programmers to program with QSECOFR authority.  Amazing!
>
> Anyway,  for those of you attempting to clear SARB-OX audits please be
aware that this type of neglect will get a failing grade from any of the
reputable audit firms.
>
> Greg you are absolutly correct in your understanding of the "short cuts"
taken by the lazy, the ignorant. and the down right dishonest consultants
that should know better.
>
> I put this one right up there with disabling "Level Check".
>
> RANT AWAY DAVE!
>
> Kevin Fox
> kdfox@xxxxxxxxxxxxx
>
> Greg,
>
> It is/may be difficult to change all your users from having AMAPICS as a
> group if programs that were created that use MAPICS files were not
> created correctly.
>
> The programs should be owned by AMAPICS and the User Profiles should say
> *OWNER. Also, they should say USE ADOPTED AUTHORITY *YES..
>
> This was a shortcut for people who didn't know how MAPICS security
> worked and was a quick way of giving access to users to files for
> Query.. With all the other ways that users can access the data now, this
> is a HUGE security hole..
>
> I have found that many MAPICS customers have AMAPICS as the group
> profile on their users..
>
> To make this work, you need to first verify that all your programs that
> are accessing MAPICS files are compiled properly. You can use the
> CHGOBJOWN or CHGOWN (depending upon which release of the OS you are on).
> You can also do a CHGPGM to change the USRPRF parameter to *OWNER and
> the USEADOPT paramter to *YES.
>
> Once you do that, you can try a few users to see if you didn't miss
> anything.
>
>
> Michael Franchino
> Custom Systems Corporation
> 334 Sparta Ave
> Sparta, NJ  07871
>
> 973-726-0202 X214
> 973-726-4552 Fax
> http://eax.cussys.com
>
>
> -----Original Message-----
> From: mapics-l-bounces@xxxxxxxxxxxx
> [mailto:mapics-l-bounces@xxxxxxxxxxxx] On Behalf Of Greg Wenzloff
> Sent: Wednesday, December 29, 2004 1:03 PM
> To: 'MAPICS ERP System Discussion'
> Subject: RE: MAPICS - need info on the AMAPICS user profile
>
> Dave,
>
> Your reply confuses me somewhat.  I thought this was the way MAPICS came
> to everyone <with the AMAPICS uses as a group profile>.  You imply that
> the
> people who set up our system took a short cut.   Are you saying I can
> undo
> the situation?   If so - please explain with some details.
>
> Thanks,
> Greg
>
> -----Original Message-----
> From: Dave Shaw [mailto:daveshaw@xxxxxxxxxxxxx]
> Sent: Wednesday, December 29, 2004 11:25 AM
> To: MAPICS ERP System Discussion
> Subject: Re: MAPICS - need info on the AMAPICS user profile
>
> Greg,
>
> There is NO good reason for AMAPICS to be a group profile for ANY user!
> I've heard of it being set up this way several times, and each time I
> just shake my head.  MAPICS programs use adopted authority to access the
> files, and any custom programs or queries that you have should use some
> similar mechanism, NOT a group profile scheme using AMAPICS!
>
> Pardon my rant, but I was using MAPICS for years before IBM added the
> group profile capability, and I find this particular shortcut terribly
> dangerous.
>
> Dave Shaw
>
> ----- Original Message -----
> From: "Greg Wenzloff" <GWenzloff@xxxxxxxxxxx>
> To: <mapics-l@xxxxxxxxxxxx>
> Sent: Wednesday, December 29, 2004 10:42 AM
> Subject: MAPICS - need info on the AMAPICS user profile
>
>
> > Hello List,
> >
> > I've been using MAPICS for 14 years but never paid much attention to
> the
> > AMAPICS user profile.  Could members of this list tell me how you
> handle
> > this user profile which on my system has 5 of the 8 special
> authorities
> > active.
> >
> > Our regular users have AMAPICS as a group profile which if I'm correct
> > adopts these special authorities.  This is not desirable with
> Sarbanes-Oxley
> > scrutiny in progress.
> >
> > Can a regular user operate successfully in MAPICS without that group
> > profile?
> >
> > Can the special authorities be trimmed way back without causing
> problems?
> >
> > Any info would help.  Thanks in advance.
> >
> > Greg Wenzloff
> > Beck Manufacturing
> >
> > XAR4
> _______________________________________________
> This is the MAPICS ERP System Discussion (MAPICS-L) mailing list
> To post a message email: MAPICS-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/mapics-l
> or email: MAPICS-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/mapics-l.
>
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.