|
midrange.com
Based on the responses so far, I think the problems I have with update vs.
inquiry security must be unique due to the fact that we are client/server.
We are able to limit access by program with no problem. So we don't allow
people access to month-end programs, and we can limit their access to
programs that are inquiry only, like INV300 and CST300 without any problem.
Our problem happens on things like the vendor master, customer master, or
item master. We can't give people access to just display the information.
There is a file command in the menu bar at the top of the window that allows
them to choose between create, copy, revise, delete, and display functions.
We cannot limit which function they choose.
Martha Bayer
Badger Mining Corporation
920-361-2388
mbayer@badgerminingcorp.com
-----Original Message-----
From: MacWheel99@aol.com [SMTP:MacWheel99@aol.com]
Sent: Monday, July 19, 1999 3:21 PM
To: BPCS-L@midrange.com
Subject: Re: BPCS Security Concepts
> Subj: RE: BPCS Security - More information
> From: mbayer@badgerminingcorp.com (Martha Bayer)
> We're on 6.0.02 CS AS/400. We were told by SSA consultants that
update vs.
> inquiry security may be available in version 7.0. I wonder how
many others
> think this is an important feature? Has any one found a way
around it?
Update vs. Inquiry security is available in version 405 CD - did it
go away
in V6 or am I not understanding something?
My understanding of this is that INQUIRY is where people can view
data via
INV300 SFC350 CST300 etc. while update means people can run jobs
that update
the BPCS data base such as ORD500 JIT600 etc.
One headache with 405 CD security is the group security is an all or
nothing
everyone same rules, so to offer different IBM rules to some user
sub-groups,
we have to risk a performance hit by having secondary user groups.
Another headache is that we have users who have had to be granted
command
line authority, and been shown how to do some support tunctions for
narrow
reasons, then used their know-how & access in ways I consider quite
dangerous, like DFU vs. BPCS file contents.
> Subj: Re: BPCS Security - More information
> From: mkamara@krupsusa.com
>
> We're on 6.0.04 MM, AS/400 720 V4R3 and new to BPCS. We are a
> wholesale/distribution company in the US. I have set up basic
security
> given access to the modules based on departments. I will like to
have a
> tighter control without affecting performance where some users
will update
> capabilities and others have inquiry only.
Check BPCS Documentation - there is an outline of how the security
works.
Whatever consultant helped you get setup might have additional
reccommendations on this topic. Take a look at how work station
defaults are
changed & if you want end users doing that. Who should be making
changes to
BPCS User Menus? Does every module have a manager who decides who
all should
have what kind of access to which areas? Usually the department
head says
anyone can inquire into our stuff but only people in our department
ought to
be changing the contents & here is a list of users in our
department. Some
data is more sensitive than others, such as profit margins. Do you
want or
need people to be able to manipulate / view the contents of other
people's
reports?
Check BPCS_L archives for remarks I made on BPCS Security several
months ago.
The things that were the major conceptual stumbling blocks for my
project
team personnel regarding comprehending security issues.
1. The SFC600 Module List works on basis of OPPOSITES.
Some people we have coded NO to all modules, then down below listed
just the
programs we want them to be able to run, such as some inquiries &
pop-up
menus.
These people are coded N in the list of modules, so that the
programs listed
below are what are YES for them.
Some people we want them to be able to do just about anything in a
particular
module, such as SFC & JIT, but we say NO to end-of-month stuff like
SFC905 &
JIT900.
Those folks are coded Y for the overall modules - so that the stuff
down
below on that module are the NO exceptions we do not want them to
get into
for whatever reason.
2. Anyone can make a mistake & take a wrong menu option & get into
trouble -
for example we had some people taking some end-of-month options &
trying to
exit & in their frustration, causing unwanted updates.
As the block of opposites grows, and as people's security needs to
be
changed, we want to keep the picture easy to read, so we organize
the stuff
generally A to Z left to right & 1 to 10 top to bottom.
3. A query can have any name, but to run it from BPCS Menu, it needs
to be
named logically within the BPCS naming conventions, avoid risk of
conflict
with future PTF, and fit within the security rules. Our
modifications &
queries use the 3 letter prefix of ORD INV etc. but by the 6th
character have
shifted alphabetical. We have some power users who create queries,
create
the CL to run them, and put the CL on BPCS User Menus. This
capability
requires command line authority, right SYS stuff for the menus, IBM
Programmer Authority to compile the CL, and support to cross library
lists
when copying a query between 2 different environments.
4. We can muck with additional rules on how BPCS Security functions,
and
change IBM commands, but let's not add to the complexity of Security
if we do
not want to make this a full time job.
On IBM Security - you might want to make the first place people go =
the BPCS
Menu for their environment, then the second place where they go,
when they F3
out of BPCS to be *SIGNOFF, so only people who know how with either
command
line authority, or other stuff, can get into OS/400 menus.
We are in constant struggle of WHY DOES THIS PERSON NEED COMMAND
LINE
AUTHORITY? The main reason is they were taught how to do something
by
someone who did not think computer security was especially
important, and are
now more comfortable navigating via that method than the vanilla
menus.
We have created CL for BPCS User Menu to do many of the things that
people
said were the reasons why they needed access to IBM Menus.
I hope this helps
Al Macintyre
+---
| This is the BPCS Users Mailing List!
| To submit a new message, send your mail to BPCS-L@midrange.com.
| To subscribe to this list send email to BPCS-L-SUB@midrange.com.
| To unsubscribe from this list send email to
BPCS-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: dasmussen@aol.com
+---
+---
| This is the BPCS Users Mailing List!
| To submit a new message, send your mail to BPCS-L@midrange.com.
| To subscribe to this list send email to BPCS-L-SUB@midrange.com.
| To unsubscribe from this list send email to BPCS-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: dasmussen@aol.com
+---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
