×
The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.
I was just at a client site this week that was a victim of both evil security stalkers - Infinium and JDE. But lucky for them, their OWNER parameter was set to *USRPRF for most users. I believe that *GRPPRF is the right way to do it, but in the case of a poorly designed object ownership scenario, it's better this way if the group profile was indeed JDE or JDEINSTAL or something similar for the users creating profiles!...
"However, (this is my belated contribution to the Halloween season)...
IF
You run a popular software package such as JDE, or Infinium, or many, many others where the object ownership practice is:
-All objects are owned by user FRED (Insert your favorite owner profile here)
-Everyone is a member of Group FRED
-Everyone (or more importantly, the person who creates new profiles) has the OWNER parameter in their user profile set to *GRPPRF.
THEN
Every new profile that is created will be owned by the Group Profile, and every member of the group will have more than *USE rights to all of those profiles.
I've been in shops with over 1000 users where every user id was owned by the group so every user could do this command... SBMJOB CMD(CHGUSRPRF USRPRF(user_id) PASSWORD(new_password) STATUS(*ENABLED)) USER(SomeBody) ...To every other user in the group.
Pretty scary huh?
Don't let this happen to you. QSECOFR should own all profiles. No one should have even *USE rights to any other profile unless you explicitly want them to be able to assume another's identity.
There, now my Halloween is officially over. :)"
Best regards,
Steven W. Martinson, CISA, CISM, CISSP
Security Consultant
Cypress, Texas
Mobile: 713.277.5845
Fax: 281.758.2429
As an Amazon Associate we earn from qualifying purchases.
This thread ...
Re: Change user profile without *SECADM, (continued)
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.