Re: Audit BPCS?

[Al Mac <macwheel99@xxxxxxxxxxx>]

Your 400 might have 100 user-ids that can access the 400.
Your 400 security officer can get list from GO SEC or other menus
I use DSPUSRPRF F4 get *PRINT or some such command

Your ZSC file might have 55 of those user-ids that can access BPCS.
Do you have more than one BPCS environment?

If you have a test environment and you have not used it in a while, better
check that it does not have stuff in it that is no longer relevant to your
reality.  When we checked ours, we found that its ZSC file had security for
people who had not been employed at our company for over a year.

I suggest you check your license ... does it say only 50 people allowed to
access BPCS?

I suggest you create a little program (we used query/400) to list the
people who have access to BPCS, and you also run some list off of IBM
security ... who are all the people who have access to the 400?  Turn those
lists over to your Personnel or Human Resources dept for review.

What can happen at a company is that people are hired, terminated, but the
computer department is only told "Please add this new person to computer
security" is not told, "so and so is no longer with us, take them off of
computer security" so you end up with people names having access who no
longer with your company.

When you have got your security cleaned up (caught up) then there needs to
be a review.
Perhaps the size of your staff has changed thanks to how the economy has gone.

We traded in a license for a lot of users, to get a cheaper number of users.
Thus by SSAGT forcing us to do this audit, they lost money.
Had we ignored security auditing, we would still be paying them for the
larger license.

When you use BPCS security to delete someone access, the record does not
actually go away, it gets soft coded with a delete code.  I wrote a tinie
tiny program that goes through the ZSC file and for every one that is coded
delete, it actually removes the record from the file.

SSAGT was very reasonable with us.
We explained that we access the test education environment with a different
sign on so for example there is sign on AL ALE JERRY JERRYE MIKE MIKEE DAVE
DAVEE etc.
Only one person there in each pair
Also ALS for AL doing security work, as opposed to accessing stuff that an
ordinary user can do
There is only one AL but AL has 7 different sign-ons with different
mixtures of security for specialized stuff AL rarely does ... reason, AL
often gets called away from desk and is still signed on, wants it left with
something nothing special ... uses special sign-ons by sign on with it, do
whatever, sign off with it.
But all those AL sign ons can look suspicious to an auditor if no
explanation given.

Which applications have you paid for, and which are turned on in system
parameters.
Example ... WE ARE NOT USING CERTAIN APPLICATIONS but we turned some stuff
on so people could look at the help screens to help decide if we want to
buy that or not ... well we turned them off so there would be no
misunderstandings during the audit, and in fact we have not turned them on
again ... I don't think we will be getting more applications any time soon

> They look at the key to determine the installed products and look at the
> installed products screen in the system parameters. They query the ZSC
> file for users to determine if the number of license users has expired.
>
> >>> vertekex@seznam.cz 09/10 6:32 AM >>>
> Hallo all,
> SSA promises audit all of its BPCS clients.
> Do you have any experiences with it or
> do you know how is this audit performed?
> TIA
>
> Franta
>
> ______________________________________________________________________
> Reklama:
> Kam do kina ci divadla? http://kultura.seznam.cz
> _______________________________________________
>
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/bpcs-l.
-
Al Macintyre (macwheel99@sigecom.net via Eudora)
Al's diary http://radio.weblogs.com/0107846/