Dave ...
Developers should have two (2) user profiles... One for developing code
and one for production application access if required.
The production profile should not allow any more access that any other
production profile.
Kenneth
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[
mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Turnidge, Dave
Sent: Thursday, May 31, 2007 1:13 PM
To: Midrange Systems Technical Discussion
Subject: Non-Limited profile and QUSCMDLN
We have what I would consider a security hole in our iSystems. All
users, except for developers and Support Center staff, are Limited
Users. This means that they cannot enter (most) commands on a command
line. However, developers and Support Center staff CAN enter commands on
the command line. The bigger problem is that when they are on a
production menu, and request a command line, they have adopted
production authority. They could then pretty much do what they want.
Removing the command line is not on our list of things to do, so I am
attempting to track when the command line IS used by anyone so I can
track the commands entered.
I have looked through QAUDJRN, and see the command being entered, but
nothing that tells me that they have requested the command line or are
working from a command line. Is there any way to determine this?
Thank you,
Dave
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at
http://archive.midrange.com/midrange-l.
midrange.com
