Hi Dee Dee,

The attribute you are changing is a Group Job attribute. The group job is
what you see when you press the ATTN key and start another job  from a
WRKACTJOB job screen. You'd see your job where the ATTN key was pressed with
a '+' sign next to it. Use F14 to show the group jobs under the first
interactive job. Batch jobs by definition can't be group jobs, since there
is no display file to bring up another session. This does not reset group
profile security for the user.

I suggest that you download the V8.1 install instructions from OGS Online to
read the appendix dealing with securing the database in BPCS. This explains
how programs compiled with user profile *OWNER and the proper set up of BPCS
file objects will eliminate the need for the SSA Group profile on the
individual BPCS users profiles. This can then secure your data files from
users running queries outside BPCS or trying to look at files from a PC ODBC
connection etc.. If done correctly, the BPCS files would then only be able
to be directly accessed through running a BPCS program or if the user in
question was part of a special authorization list for that file, or if the
user in question had *ALLOBJ authority on the system.

Also check out BMR 51582 done on other BPCS releases. You would need to get
the security programs for BPCS CD sent to you compiled with User Profile
*OWNER to make this all work properly (since you can not recompile those
yourselves). You could request the actions done for this BMR on V6.x be
completed for BPCS CD (contact Support Center AS/400 Technical team for this
and request they escalate the new BMR).

The other issue to watch out for is command line access from within BPCS.
You'll want to make sure that users don't inherit the authority and then do
what they want to the files from the command line. In V6.x releases, BMR
57230 (6100 80) and 62640 (6004) were completed to secure the BPCS command
line from adopting inappropriate authorities.

If you own source, this is an easy change to do yourself, by just making
sure a separate program calls the command line (or any system function which
brings up a command line, such as WRKSPLF) and the separate program is
compiled with as User Profile *USER and Adopt Authority (from previous call
level) *NO.


Genyphyr Novak

----- Original Message -----
From: "DeeDee Virgei" <DeeDee.Virgei@nelsonstud.com>
To: <bpcs-l@midrange.com>
Sent: Monday, September 23, 2002 11:17 AM
Subject: Group Profile Security

> Hi All,
> We are looking to beef up our BPCS (4.05 CD) security.  More specifically,
> I'm planning to change our users group profiles to "*NONE" (in place of
> SSA); then, I plan to add "CHGGRPA  GRPJOB(SSA)"  command to the BPCSMENU
> program.  After testing one profile, I found this works if the user runs
> everything interactively.  However, I run into security violations when
> user runs any of the BPCS jobs in batch mode; the group profile attribute
> apparently does not carry over to jobs stemming from the interactive
> session/job...  Has anyone run into this situation -- appreciate any
> Thanks.
> DeeDee Virgei
> Nelson Stud Welding, Inc.
> 7900 West Ridge Rd
> Elyria, OH 44036

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.