Re: Security Files and reports -- BPCS-L

Al

Can you explain more about the queries you build in exactly what files did you
run them against? seems what you are doing is somehow what I need to do... I
needto map all the sec files on BPCS and find out exactly what users are using
which files/menus etc.. and also, which users have access to aditional menus
located in files like ZMM, ZMA, ZMO, etc.

Also, if you have a list of what each Z* file has.. that would be great!

I know about pentasafe.. we tried it here too.. not too good not too bad.. I
prefer tools like Visual Message Center.. real time monitoring...

BTW Im in Bristol-Myers Mexico :)

Cheers


Al Mac wrote:

> You cannot get at the stuff that relates to permission for your company to
> use BPCS itself (SSA license) unless you want to go to jail.
>
> Look at the Z* files layout ... ZMA ZSC etc. also some of the ZPA records
> Use Query/400 or some such tool to create your own reference charts:
> Who all has access to ORD General Ledger etc.
> I have one that lists all the menus that selected range of users have
> access to & where they come in priority on their respective menu lists.
> I have another that lists for some range of program options, what all menus
> they show up on.
> I use these when I am told to setup some new user with all the same stuff
> as another specified user, with a few variations.
>
> Parsing the ZSC file is a bit of a pain.
> I have not done it, but approach I might suggest
> dump all the non-blank fields into a humongous array, then sort what you
> have dumped (SORTA)
>
> What I have done, is to create a dummy user in which all the Yes/No fields
> populated not by Y/N but by letters of the alphabet associated with the
> BPCSDOC standards identifying the application, then have a Query/400 that
> charts those core rules putting that dummy user on top to make that part of
> the chart somewhat readable.
>
> Another thing I was interested in was what all programs update some file,
> or call some program.  I did not want to use XRF of BPCS because it has
> some extremely severe security problems.  So I have an *OUTFILE built from
> IBM GO CMDREF that creates a cross-reference of BPCS programs that do the
> calling and what they call, then I can do a Query/400 inquiry against
> that.  It not get everything due to soft-coding, but it good enough for my
> purposes.
>
> I also have a job that puts IBM 400 profile data into an *OUTFILE then I
> run Query/400 against that.
>
> Say ... we almost neighbors ... I work in Evansville Indiana, where
> Bristol-Myers has one of its AS/400 offices.
>
> There is an outside vendor tool ... it used to be from www.pentasafe.com
> but they went through some change in company, and I not up on the product
> naming ... we got a demo of this at an AS/400 user meeting in Evansville,
> and if I am not mistaken, I believe it was Bristol-Myers Evansville that
> had it installed.  Designed primarily for Auditors, it looks at your
> overall security standards, and there are versions of it specifically for
> AS/400, Windoze, Unix, Linux, you name it, and yes there is one tailored
> for BPCS (I not remember which versions).
>
> Basically it looks for things like people with easily guessable passwords
> (without telling hacker with this tool which they are), not changed in
> eons, security officer able to sign on over unsecured Internet connections,
> a large collection of security checks, that usually are beyond the
> technical expertise of most of us, then gives a non-technical report how
> our security compares to various industry standards.
>
> UPI has a product (they'll pay me a commission if you buy it and give me
> credit) in which you can specify specific fields of specific files that you
> want to track, such as prices for parts, or formula of which chemicals to
> use in manufacturing that QC checks, or any other sensitive things, then it
> tells you everyone who messed with that and which programs they used to
> mess with it, and you can sort it various ways ... e.g. let's see who all
> accessed the General Ledger, using programs other than those that came with
> BPCS ... or let's see who all changed ITE rules or other tailoring, did
> some transactions under the changed rules, then changed them back to what
> they were before (think embezzlement audit trail).
>
> I have also been looking into some security topics that are outside
> BPCS/400 ... we can discuss off-line if you interested.
>
> -
> Al Macintyre  http://www.ryze.com/go/Al9Mac
> Find BPCS Documentation Suppliers
> http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html
> BPCS/400 Computer Janitor at http://www.globalwiretechnologies.com/
>
> >Guys..
> >
> >Is there a way or a tool to get all the security related
> >permission on BPCS?
> >
> >Im trying to find out to what pgms each user has access (like
> >parsing the zsc file) and also, to what external programs they
> >have access thru menu maintenance/aditional menus/not core menus?
> >
> >Is there such a tool for this or a way to get a compelte report
> >as to what a user has access to  or a reports that shows who has
> >access to each program?
> >
> >Thx for your help.
> >
> >
> >--
> >Anton Krall
> >IT Security Officer
> >Bristol-Myers Squibb Mexico
> >
> >Tel. Directo: 5337-2620
> >Conmutador: 5337-2800
> >Email: anton.lopez-krall@xxxxxxx
> _______________________________________________
> This is the SSA's BPCS ERP System (BPCS-L) mailing list
> To post a message email: BPCS-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/bpcs-l
> or email: BPCS-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/bpcs-l.

--
Anton Krall
IT Security Officer
Bristol-Myers Squibb Mexico

Tel. Directo: 5337-2620
Conmutador: 5337-2800
Email: anton.lopez-krall@xxxxxxx