Re: Security Files and reports -- BPCS-L

I will do another reply later since I do 99% of my e-mail from home, where I do not have access to our 400, but sometimes bring some print-outs home. We are on BPCS 405 CD & I believe you are on a higher version, in which one of the things totally re-written for V6 was how the security works, so some of what I have done might not be applicable to all of your requirements.

If you have not already done so, I suggest you look at BPCSDOC from the DOC menu, which is a PDM Source File containing many documentation members. There is a lot of useful information and navigation clues there, but much of BPCS seems to use the Security by Obscurity philosophy which makes me very nervous.

My Query/400 over the Security files are pretty simplistic.

I have other deals where I use Query/400 to build work files that combine info from multiple BPCS files then, using join-3 and I found a way to join query files outside the methods spelled out in IBM documentation. Then I use those query work files as input to other queries, with the whole thing in a CL stream of queries regenerating a picture. I like to maximize what we can get out of Query/400 because I have several non-programmer co-workers following in my footsteps also using the techniques I figure out.

One of my IBM *OUTFILEs is a dump of IBM's DSPFD directory of BPCS files, which I use for a ton of stuff, mainly related to cleaning up obsolete dead records. If you have command line access, you can see a lot of what the files are used for yourself:

WRKOBJ Z* enter and scroll, or WRKOBJ Z* F4 and limit the view a bit more then scroll This will show you what all Z files are out there in the library list, with what names (which can be misleading sometimes). In addition to physical files, something else of interest are data structures that have the layouts of security related records in the ZPA file, which has many records with different layouts for different functions.

So jot down the file names
ZMA = Menu/User/Seq (can include people no longer in IBM user profiles)
ZMM = Menu titles (some inactive)
ZMO = Menu individual lines - what text description what program
ZOM = Menu options
ZSC = Security Master file
ZSO = Security Object file

Then getting back to the command line
RUNQRY *N ZSC
or whatever file you interested in

This uses Query/400 through UDB/2 to view the data without having any Query/400/Definition (that's what the *N signifies)

You get a quick eyeball of the kind of data that is in there. Then from this, it gives you an idea of what files would be the most useful to include in your formal Query definitions.

You also get a quick education in how come command line access should not be a privilege for every user.

So far I have addressed what users have been granted access to what BPCS stuff through the security "front doors" in which the structure could conceivably have too many cooks who not have a full understanding of all the nuances, and do not communicate effectively with each other.

The issue of who is ACTUALLY accessing what stuff is another topic, and if any of the access is through some "back door". Another thing I have is a CL (I believe I posted the core details here a while back) which grabs the OS/400 message codes associated with security violations, and other topics of interest to me in my Computer Janitor role, and throws all that stuff into one convenient location, for easy reference

I have also made good use of WRKSYSVAL to organize QSYSOPR type stuff into separate message queues by type of problem. This sort of topic drifts out of reverse-engineering BPCS obscurity and into 400 Security Administration ... there is a www.midrange.com list specifically for 400 Security Management nuances.

Al

Can you explain more about the queries you build in exactly what files did you
run them against? seems what you are doing is somehow what I need to do... I
needto map all the sec files on BPCS and find out exactly what users are using
which files/menus etc.. and also, which users have access to aditional menus
located in files like ZMM, ZMA, ZMO, etc.

Also, if you have a list of what each Z* file has.. that would be great!

I know about pentasafe.. we tried it here too.. not too good not too bad.. I
prefer tools like Visual Message Center.. real time monitoring...

BTW Im in Bristol-Myers Mexico :)

Cheers

Al Mac wrote:

> You cannot get at the stuff that relates to permission for your company to
> use BPCS itself (SSA license) unless you want to go to jail.
>
> Look at the Z* files layout ... ZMA ZSC etc. also some of the ZPA records
> Use Query/400 or some such tool to create your own reference charts:
> Who all has access to ORD General Ledger etc.
> I have one that lists all the menus that selected range of users have
> access to & where they come in priority on their respective menu lists.
> I have another that lists for some range of program options, what all menus
> they show up on.
> I use these when I am told to setup some new user with all the same stuff
> as another specified user, with a few variations.
>
> Parsing the ZSC file is a bit of a pain.
> I have not done it, but approach I might suggest
> dump all the non-blank fields into a humongous array, then sort what you
> have dumped (SORTA)
>
> What I have done, is to create a dummy user in which all the Yes/No fields
> populated not by Y/N but by letters of the alphabet associated with the
> BPCSDOC standards identifying the application, then have a Query/400 that
> charts those core rules putting that dummy user on top to make that part of
> the chart somewhat readable.
>
> Another thing I was interested in was what all programs update some file,
> or call some program.  I did not want to use XRF of BPCS because it has
> some extremely severe security problems.  So I have an *OUTFILE built from
> IBM GO CMDREF that creates a cross-reference of BPCS programs that do the
> calling and what they call, then I can do a Query/400 inquiry against
> that.  It not get everything due to soft-coding, but it good enough for my
> purposes.
>
> I also have a job that puts IBM 400 profile data into an *OUTFILE then I
> run Query/400 against that.
>
> Say ... we almost neighbors ... I work in Evansville Indiana, where
> Bristol-Myers has one of its AS/400 offices.
>
> There is an outside vendor tool ... it used to be from www.pentasafe.com
> but they went through some change in company, and I not up on the product
> naming ... we got a demo of this at an AS/400 user meeting in Evansville,
> and if I am not mistaken, I believe it was Bristol-Myers Evansville that
> had it installed.  Designed primarily for Auditors, it looks at your
> overall security standards, and there are versions of it specifically for
> AS/400, Windoze, Unix, Linux, you name it, and yes there is one tailored
> for BPCS (I not remember which versions).
>
> Basically it looks for things like people with easily guessable passwords
> (without telling hacker with this tool which they are), not changed in
> eons, security officer able to sign on over unsecured Internet connections,
> a large collection of security checks, that usually are beyond the
> technical expertise of most of us, then gives a non-technical report how
> our security compares to various industry standards.
>
> UPI has a product (they'll pay me a commission if you buy it and give me
> credit) in which you can specify specific fields of specific files that you
> want to track, such as prices for parts, or formula of which chemicals to
> use in manufacturing that QC checks, or any other sensitive things, then it
> tells you everyone who messed with that and which programs they used to
> mess with it, and you can sort it various ways ... e.g. let's see who all
> accessed the General Ledger, using programs other than those that came with
> BPCS ... or let's see who all changed ITE rules or other tailoring, did
> some transactions under the changed rules, then changed them back to what
> they were before (think embezzlement audit trail).
>
> I have also been looking into some security topics that are outside
> BPCS/400 ... we can discuss off-line if you interested.
>
> -
> Al Macintyre  http://www.ryze.com/go/Al9Mac
> Find BPCS Documentation Suppliers
> http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html
> BPCS/400 Computer Janitor at http://www.globalwiretechnologies.com/
>
> >Guys..
> >
> >Is there a way or a tool to get all the security related
> >permission on BPCS?
> >
> >Im trying to find out to what pgms each user has access (like
> >parsing the zsc file) and also, to what external programs they
> >have access thru menu maintenance/aditional menus/not core menus?
> >
> >Is there such a tool for this or a way to get a compelte report
> >as to what a user has access to  or a reports that shows who has
> >access to each program?
> >
> >Thx for your help.
> >
> >
> >--
> >Anton Krall
> >IT Security Officer
> >Bristol-Myers Squibb Mexico
> >
> >Tel. Directo: 5337-2620
> >Conmutador: 5337-2800
> >Email: anton.lopez-krall@xxxxxxx

--
Anton Krall
IT Security Officer
Bristol-Myers Squibb Mexico

Tel. Directo: 5337-2620
Conmutador: 5337-2800
Email: anton.lopez-krall@xxxxxxx

- Al Macintyre http://www.ryze.com/go/Al9Mac Find BPCS Documentation Suppliers http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html BPCS/400 Computer Janitor at http://www.globalwiretechnologies.com/ Part time may get commission from some BPCS vendors for helping them ... I will now say in a post if the product I commenting on is also one potentially involved with this ... not that I have made anything from this yet.