|
The SSA profile is not shipped, but created by the BPCS install program. It should not have *Allobj or *Secofr or even *Pgmr authority - this is dangerous because of the way BPCS users are traditionally set up ( with the SSA profile as their group profile). The SSA profile should have class *USER and no special authorities, i.e. special auts should be *USRCLS - you can't use the Cross Reference (XRF) programs anyway now, as 1) no source and 2) SQL file access is not picked up; and spool control needs to be more granular anyway. The SSA profile should have password set to *NONE (or you could disable it) because it is a group profile and should not be used to sign on. The danger is that someone will change it to have *Secofr authority because they want to use it, for example to install some BPCS add ons or PTFs or BMRs, and will forget to change it back. This is a serious security exposure as all your BPCS users will be able to do anything if they can access a command line (or maybe via a PC). You should always create a profile specially for this, in Europe we usually create one called SSALOAD which has *Secofr authorities and is a member of the SSA group profile with Owner *GRPPRF, this ensures that all the objects created under the profile will have the traditional owner SSA and therefore be accessible to all users set up in the traditional way (group profile SSA and Owner *GRPPRF). Ensure that internal people and SSA and other external consultants use this profile and not SSA. Ignore any documentation from SSA that tells you to do something (e.g. install) using the SSA profile! Unfortunately, if your shop has SSA with higher authorities, you will need to check first that you don't have objects owned by QSECOFR etc in the BPCS library list, as this might cause problems when you remove the authority! TAATOOL (www.taatool.com) has some good tools for doing this. If you have a mainly green screen environment the traditional approach works well as it is simple and does not involve too high a level of 'authority lookups' by the system - these can be a performance overhead. You could make your users limited capability so that they could not use the command line, but change the WRKSPLF and maybe WRKQRY commands to 'allow limited capability user *Yes', or you could use the menu approach that someone else suggested. If you have lots of PCs and your users use ODBC and know how to access the BPCS database via Access or whatever, then the traditional approach will be a huge exposure, as all the users have implicit access to all the BPCS files at all levels. To get round this you could use adopted authority. You would need to change 5 or 6 BPCS programs to use *Owner authority rather than *User. You could then remove the SSA group profile from all user profiles. You would of course have to test this thoroughly. A pharma company implemented this type of set-up in Full Client Server BPCS, however they found that they had to allow access to the NEWI and DOCA libraries at the library level if I remember rightly. I also know some companies who have attached private authorities and also authorisation lists to every object in BPCS. The point is, it can be done, but if you don't need it, keep it simple. Security dosn't have to be byzantine to work! Some companies implement really complicated security systems but leave passwords on post-its next to the terminals..... Hope this helps, Clare rhamberg@mother-parkers.com on 18/02/2000 19:11:19 Please respond to BPCS-L@midrange.com To: BPCS-L@midrange.com cc: (bcc: Clare Holtham/UK/SSA_EUROPE) Subject: User profile SSA Can anyone explain why BPCS profile SSA has *ALLOBJ authority? We are AS/400 running BPCS 6.0.02 mixed mode. +--- | This is the BPCS Users Mailing List! | To submit a new message, send your mail to BPCS-L@midrange.com. | To subscribe to this list send email to BPCS-L-SUB@midrange.com. | To unsubscribe from this list send email to BPCS-L-UNSUB@midrange.com. | Questions should be directed to the list owner: dasmussen@aol.com +--- +--- | This is the BPCS Users Mailing List! | To submit a new message, send your mail to BPCS-L@midrange.com. | To subscribe to this list send email to BPCS-L-SUB@midrange.com. | To unsubscribe from this list send email to BPCS-L-UNSUB@midrange.com. | Questions should be directed to the list owner: dasmussen@aol.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.