|
There is a feature in AS/400 security that I am not well versed in. You can set some controls to let you know a hypothetical. We are at security level XX but are considering moving to XX+10The audit journal can tell you what actions were permitted at XX that would be blocked at XX+10. ie. XX lets users do stuff, but tells the security audit journal what you doing that needs fixing before you upgrade your security, to avoid this breaking.
I do not know if this feature can be used on other scenarios.During a conversion, the consultants claimed they needed *ALLOBJ authority. We discovered that applications run under inappropriate authority can mess up our data base. In other words, when we took away the excess authority, we then had trouble accessing files and programs that had been created by people with the excess authority.
We use different sign-ons for different purposes.An IT person can get called away from desk on short notice to deal with some situation. While gone, that person may be still signed on, and someone visit their desk and use their sign on. For this reason I am very careful that my normal sign on not have extraordinary access, I carefully sign off if I happen to be in some high security thing when called away from my desk, and then there is the issue of running an unattended backup. We not want normal crew to arrive next morning to find system signed on as master security officer, because a backup was started, then the operator went home. However, I have been known to go out to supper while a backup is running.
There is application software originally written eons ago that was fine then from security perspective, but security needs are a moving target. There are some 3rd party security services out there which have created security conversion to upgrade the security on popular old packages. For example, UPI has one to fix BPCS V4 security.
Al - I agree with everything you say ... Especially that *SAVSYS is an authority required by an Operator in order to perform backups... I inherited a system where the primary production application was originally set up to run under an *ALLOBJ authority user! All the application developers were *ALLOBJ users too! Over the years we have made significant progress trimming that back to something more reasonable. I just recently was able to remove *JOBCTL authority from the users of this application. There were processes within the application that started and stopped subsystems! The question I'm trying to answer now is "Why do regular application uses require *SAVSYS authority?" None of the developers in my shop can answer that question. I need to understand that before I remove this special authority from the application's group profile. I was hoping that I could get information from the audit journal regarding this. It looks like it isn't going to be that easy. I'll probably end up recommending that we make the change, see what "breaks" and then address each situation as it comes up. Kenneth -----Original Message----- From: Al Mac Be sure to include time frame of annual events such as physical inventory, end year fiscal, auditor reports ... there may be some special needs that are not run on a regular basis. I think * SAVRST should only be needed by IT people involved in backup recovery operations, and conversions. It is not needed for people who download 400 reports into Excel or attach to e-mail. * IO config similarly is only needed by IT people managing hardware connections * We give most of our users access to the spool file reports of co-workers, because it is not unusual that one person in a department generates a report, and others need to view it, or reprint it. This means that there is no such thing as a confidential report at our company, only some people who think some data is confidential. Of course there is always vendor software / hardware that is a little brain dead in the Security dept. >Actually what I'm trying to do is gain an understanding what processes >in my shop require Special Authority... I was hoping to analyze the >audit journal for the last few months to get this information
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
