|
midrange.com
The SSA profile is not shipped, but created by the BPCS install program. It
should not have *Allobj or *Secofr or even *Pgmr authority - this is
dangerous because of the way BPCS users are traditionally set up ( with the
SSA profile as their group profile). The SSA profile should have class
*USER and no special authorities, i.e. special auts should be *USRCLS - you
can't use the Cross Reference (XRF) programs anyway now, as 1) no source
and 2) SQL file access is not picked up; and spool control needs to be more
granular anyway.
The SSA profile should have password set to *NONE (or you could disable it)
because it is a group profile and should not be used to sign on. The danger
is that someone will change it to have *Secofr authority because they want
to use it, for example to install some BPCS add ons or PTFs or BMRs, and
will forget to change it back. This is a serious security exposure as all
your BPCS users will be able to do anything if they can access a command
line (or maybe via a PC).
You should always create a profile specially for this, in Europe we usually
create one called SSALOAD which has *Secofr authorities and is a member of
the SSA group profile with Owner *GRPPRF, this ensures that all the objects
created under the profile will have the traditional owner SSA and therefore
be accessible to all users set up in the traditional way (group profile SSA
and Owner *GRPPRF). Ensure that internal people and SSA and other external
consultants use this profile and not SSA. Ignore any documentation from SSA
that tells you to do something (e.g. install) using the SSA profile!
Unfortunately, if your shop has SSA with higher authorities, you will need
to check first that you don't have objects owned by QSECOFR etc in the BPCS
library list, as this might cause problems when you remove the authority!
TAATOOL (www.taatool.com) has some good tools for doing this.
If you have a mainly green screen environment the traditional approach
works well as it is simple and does not involve too high a level of
'authority lookups' by the system - these can be a performance overhead.
You could make your users limited capability so that they could not use the
command line, but change the WRKSPLF and maybe WRKQRY commands to 'allow
limited capability user *Yes', or you could use the menu approach that
someone else suggested.
If you have lots of PCs and your users use ODBC and know how to access the
BPCS database via Access or whatever, then the traditional approach will be
a huge exposure, as all the users have implicit access to all the BPCS
files at all levels.
To get round this you could use adopted authority. You would need to change
5 or 6 BPCS programs to use *Owner authority rather than *User. You could
then remove the SSA group profile from all user profiles. You would of
course have to test this thoroughly. A pharma company implemented this type
of set-up in Full Client Server BPCS, however they found that they had to
allow access to the NEWI and DOCA libraries at the library level if I
remember rightly. I also know some companies who have attached private
authorities and also authorisation lists to every object in BPCS. The point
is, it can be done, but if you don't need it, keep it simple. Security
dosn't have to be byzantine to work! Some companies implement really
complicated security systems but leave passwords on post-its next to the
terminals.....
Hope this helps,
Clare
rhamberg@mother-parkers.com on 18/02/2000 19:11:19
Please respond to BPCS-L@midrange.com
To: BPCS-L@midrange.com
cc: (bcc: Clare Holtham/UK/SSA_EUROPE)
Subject: User profile SSA
Can anyone explain why BPCS profile SSA has *ALLOBJ authority?
We are AS/400 running BPCS 6.0.02 mixed mode.
+---
| This is the BPCS Users Mailing List!
| To submit a new message, send your mail to BPCS-L@midrange.com.
| To subscribe to this list send email to BPCS-L-SUB@midrange.com.
| To unsubscribe from this list send email to BPCS-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: dasmussen@aol.com
+---
+---
| This is the BPCS Users Mailing List!
| To submit a new message, send your mail to BPCS-L@midrange.com.
| To subscribe to this list send email to BPCS-L-SUB@midrange.com.
| To unsubscribe from this list send email to BPCS-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: dasmussen@aol.com
+---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
