|
Hi Dee Dee, The attribute you are changing is a Group Job attribute. The group job is what you see when you press the ATTN key and start another job from a WRKACTJOB job screen. You'd see your job where the ATTN key was pressed with a '+' sign next to it. Use F14 to show the group jobs under the first interactive job. Batch jobs by definition can't be group jobs, since there is no display file to bring up another session. This does not reset group profile security for the user. I suggest that you download the V8.1 install instructions from OGS Online to read the appendix dealing with securing the database in BPCS. This explains how programs compiled with user profile *OWNER and the proper set up of BPCS file objects will eliminate the need for the SSA Group profile on the individual BPCS users profiles. This can then secure your data files from users running queries outside BPCS or trying to look at files from a PC ODBC connection etc.. If done correctly, the BPCS files would then only be able to be directly accessed through running a BPCS program or if the user in question was part of a special authorization list for that file, or if the user in question had *ALLOBJ authority on the system. Also check out BMR 51582 done on other BPCS releases. You would need to get the security programs for BPCS CD sent to you compiled with User Profile *OWNER to make this all work properly (since you can not recompile those yourselves). You could request the actions done for this BMR on V6.x be completed for BPCS CD (contact Support Center AS/400 Technical team for this and request they escalate the new BMR). The other issue to watch out for is command line access from within BPCS. You'll want to make sure that users don't inherit the authority and then do what they want to the files from the command line. In V6.x releases, BMR 57230 (6100 80) and 62640 (6004) were completed to secure the BPCS command line from adopting inappropriate authorities. If you own source, this is an easy change to do yourself, by just making sure a separate program calls the command line (or any system function which brings up a command line, such as WRKSPLF) and the separate program is compiled with as User Profile *USER and Adopt Authority (from previous call level) *NO. Thanks, Genyphyr Novak SSA GT R&D ----- Original Message ----- From: "DeeDee Virgei" <DeeDee.Virgei@nelsonstud.com> To: <bpcs-l@midrange.com> Sent: Monday, September 23, 2002 11:17 AM Subject: Group Profile Security > > Hi All, > > We are looking to beef up our BPCS (4.05 CD) security. More specifically, > I'm planning to change our users group profiles to "*NONE" (in place of > SSA); then, I plan to add "CHGGRPA GRPJOB(SSA)" command to the BPCSMENU > program. After testing one profile, I found this works if the user runs > everything interactively. However, I run into security violations when the > user runs any of the BPCS jobs in batch mode; the group profile attribute > apparently does not carry over to jobs stemming from the interactive > session/job... Has anyone run into this situation -- appreciate any input. > Thanks. > > DeeDee Virgei > Nelson Stud Welding, Inc. > 7900 West Ridge Rd > Elyria, OH 44036 >
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.