× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SYSTEM21
  3. June 2006

Re: Control of database updates for Sarbanes-Oxley

Dan, we have completed our SOX controls here at NORTH Safety.  We feel
we have a very good control and verification of changes.  The question
you raised, we resolved by creating Group Teams to work in each of our
Three environments, 
OY1 (live), 
TST (User Testing), 
DEV (Programmer Development testing)

1. We started by creating a dummy user OY1TEAM, one for each team.  This
ID is disabled.   And only used for Supplemental Grouping.
                          Display User Profile - Basic

 User profile . . . . . . . . . . . . . . . :   OY1TEAM

 Previous sign-on . . . . . . . . . . . . . :
 Sign-on attempts not valid . . . . . . . . :   0
 Status . . . . . . . . . . . . . . . . . . :   *DISABLED
 Date password last changed . . . . . . . . :   05/28/99
 Password expiration interval . . . . . . . :   *SYSVAL
   Date password expires  . . . . . . . . . :     08/26/99
 Set password to expired  . . . . . . . . . :   *NO
 Local password management  . . . . . . . . :   *YES
 User class . . . . . . . . . . . . . . . . :   *USER
 Special authority  . . . . . . . . . . . . :   *NONE
 Group profile  . . . . . . . . . . . . . . :   *NONE
 Owner  . . . . . . . . . . . . . . . . . . :   *USRPRF
 Group authority  . . . . . . . . . . . . . :   *NONE
 Group authority type . . . . . . . . . . . :   *PRIVATE
 Supplemental groups  . . . . . . . . . . . :   *NONE

2. We then assigned all live users to be a part of the Supplemental
group
User profile . . . . . . . . . . . . . . . :   FREDS

Previous sign-on . . . . . . . . . . . . . :   06/06/06  14:01:02
Sign-on attempts not valid . . . . . . . . :   0
Status . . . . . . . . . . . . . . . . . . :   *ENABLED
Date password last changed . . . . . . . . :   03/30/06
Password expiration interval . . . . . . . :   *SYSVAL
  Date password expires  . . . . . . . . . :     06/28/06
Set password to expired  . . . . . . . . . :   *NO
Local password management  . . . . . . . . :   *YES
User class . . . . . . . . . . . . . . . . :   *USER
Special authority  . . . . . . . . . . . . :   *NONE
Group profile  . . . . . . . . . . . . . . :   QPGMR
Owner  . . . . . . . . . . . . . . . . . . :   *GRPPRF
Group authority  . . . . . . . . . . . . . :   *NONE
Group authority type . . . . . . . . . . . :   *PRIVATE
Supplemental groups  . . . . . . . . . . . :   OY1TEAM

3.  We assigned Object Authority to all Physical Files in our live
environment, to allow QPGMR to "*USE" the data with the Team Group
"*ALL" Authority.  This allows the programmers to refresh data in DEV or
TST, But does not allow them to change.  "Any" program that tries to
perform an update to a physical file, and the user is not in the
OY1TEAM, will crash.

                            Display Object Authority

 Object . . . . . . . :   INP35           Owner  . . . . . . . :   QPGMR
   Library  . . . . . :     OY1@@F3       Primary group  . . . :   *NONE
 Object type  . . . . :   *FILE           ASP device . . . . . :
*SYSBAS

 Object secured by authorization list  . . . . . . . . . . . . :   *NONE

                          Object
 User        Group       Authority
 *PUBLIC                 *EXCLUDE
 *GROUP      QPGMR       *USE
 OY1TEAM                 *ALL


4. Finally, Use the System/21 Administrative Functions to control that
none of your "LIVE" users have Command Line Authority.  This will stop
them from running SQL and other update jobs.
XA100           Administration Functions                      System:
NSPS204
   Maintain User Profiles
    User Profile
Process
    CRPC1      * User not defined to OS/400 *
*Update

   Type changes, press Enter and then F3 to Update
    User level. . . . . . . . . . . 9 (1=Novice,3=Expert,8=Nov
Grp,9=ExpGrp)
    Initial menu  . . . . . . . . . AM
    Default sign-on company . . . . A2
    Single application task . . . .
    Default development application
    Language code . . . . . . . . .
    Default job queue / library . . QBATCH      /  QGPL
    Default print queue / library . PRTCRPUR01  /  QUSRSYS
    Hold on print queue . . . . . . 1       (1=Yes,0=No)
    Authorized to common functions  0       (1=Yes,0=No)
    Sign-off on leaving system. . . 1       (1=Yes,0=No)
    Date format (D/M/Y) . . . . . . M
    Allow submit job prompt . . . . 1       (1=Yes,0=No)
    Allow command entry . . . . . . 0       (1=Yes,0=No)
    Message delivery. . . . . . . . *USER
(*NOTIFY,*BREAK,*HOLD,*DFT,*USER)

5. We set each of our Environments up this way.  It works very well.  No
user can maintain "Live" data outside the System/21 Menu System.

6. You ask what happens in the event data "must" be patched in live and
no S21 function exists?

The Operations Staff has full control of assigning Authorities and User
Profiles.   They have a special user profile called "PRODUCTION".  This
user is normally disabled.  It can be activated by special written
authority, to allow corrections to data.   The correction is logged with
the request, and the update must be verified by the IT Manager, 


-----Original Message-----
From: system21-bounces@xxxxxxxxxxxx
[mailto:system21-bounces@xxxxxxxxxxxx] On Behalf Of
DThomas@xxxxxxxxxxxxxxxx
Sent: Tuesday, June 06, 2006 3:55 PM
To: SYSTEM21@xxxxxxxxxxxx
Cc: mdearmond@xxxxxxxxxxxxxxxx; bharper@xxxxxxxxxxxxxxxx
Subject: [SYSTEM21] Control of database updates for Sarbanes-Oxley

We are interested in restricting database updates outside System 21
applications.  Our thoughts are to limit these changes (which should be
rare) to DBU and use the DBU auditing utility.  We wish to prevent use
of
interactive SQL (STRSQL) and DFU.  I'm looking for feedback from other
companies that have gone through the same issue.  Also, would
restricting
use of STRSQL affect embedded SQL statements in System 21 RPG programs?

 

Dan Thomas 
Vice President
RxCrossroads 
4500 Progress Blvd
Louisville, KY  40218-3420
Office Direct (502) 318-1208 
Cell (502) 931-3736 
Fax (502) 318-1128 

 

 



This information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or privileged
material, the disclosure of which is governed by applicable law.  Any
review, retransmission, dissemination or other use of, or taking of any
action in reliance upon, this information by persons or entities other
than the intended recipient is prohibited.  If you received this in
error, please contact me and destroy the materials contained in this
message.


_______________________________________________
This is the System 21 Users (SYSTEM21) mailing list
To post a message email: SYSTEM21@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/system21
or email: SYSTEM21-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/system21.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.