|
Hi Al, Jose, As you have realised, BPCS security set-up changed radically between V4 and V6. At V4 the main file was the ZSC file, and most of the info was in there. The ZSO file was supposed to contain every 'object' in BPCS and what type etc it was, and if you created new objects (files, pgms etc)you were supposed to add them in. The ZMx files were the menu system. At V6 a whole lot more files were introduced, ZX1, ZX2, ZX3 etc. These contained info that used to be in the ZSC file, so making it rather more difficult to do things like listing user authorities, or cleaning up and removing obsolete users. The ZSO file became the ZXO file. Additional security was added for CEA (which replaced GLD). Of course all these changes did nothing to address real security issues with V6, such as now that we have PCs in the equation, how do we stop users who are members of the SSA user group which has all access to all the BPCS files, doing something like deleting a key file? (I did an exercise with Pharmacia & Upjohn to change this system and to use adopted authority instead, and this is possible but takes a bit of work to implement.) Our BPCS Archiving software (sold as Locksmith in the US, by Unbeaten Path) does have an option which allows you to list BPCS profiles from all over your system, tells you which could be obsolete (not existing on the AS/400 for example), and allows you to remove selected profiles. We don't have an option that allows you to print authorities to programs etc by BPCS user profile, but this could be something for our next version! Hope this helps, Clare Clare Holtham Director, Small Blue Ltd - Archiving for BPCS Web: www.smallblue.co.uk IBM Certified AS/400 Systems Professional E-Mail: Clare.Holtham@xxxxxxxxxxxxxx Mobile: +44 (0)7960 665958 ----- Original Message ----- From: "Al Mac" <macwheel99@xxxxxxxxxxx> To: "SSA's BPCS ERP System" <bpcs-l@xxxxxxxxxxxx> Sent: Friday, July 25, 2003 7:46 PM Subject: Re: Security Files and reports > I will do another reply later since I do 99% of my e-mail from home, where > I do not have access to our 400, but sometimes bring some print-outs > home. We are on BPCS 405 CD & I believe you are on a higher version, in > which one of the things totally re-written for V6 was how the security > works, so some of what I have done might not be applicable to all of your > requirements. > > If you have not already done so, I suggest you look at BPCSDOC from the DOC > menu, which is a PDM Source File containing many documentation > members. There is a lot of useful information and navigation clues there, > but much of BPCS seems to use the Security by Obscurity philosophy which > makes me very nervous. > > My Query/400 over the Security files are pretty simplistic. > > I have other deals where I use Query/400 to build work files that combine > info from multiple BPCS files then, using join-3 and I found a way to join > query files outside the methods spelled out in IBM documentation. Then I > use those query work files as input to other queries, with the whole thing > in a CL stream of queries regenerating a picture. I like to maximize what > we can get out of Query/400 because I have several non-programmer > co-workers following in my footsteps also using the techniques I figure out. > > One of my IBM *OUTFILEs is a dump of IBM's DSPFD directory of BPCS files, > which I use for a ton of stuff, mainly related to cleaning up obsolete dead > records. If you have command line access, you can see a lot of what the > files are used for yourself: > > WRKOBJ Z* enter and scroll, or WRKOBJ Z* F4 and limit the view a bit more > then scroll > This will show you what all Z files are out there in the library list, with > what names (which can be misleading sometimes). In addition to physical > files, something else of interest are data structures that have the layouts > of security related records in the ZPA file, which has many records with > different layouts for different functions. > > So jot down the file names > ZMA = Menu/User/Seq (can include people no longer in IBM user profiles) > ZMM = Menu titles (some inactive) > ZMO = Menu individual lines - what text description what program > ZOM = Menu options > ZSC = Security Master file > ZSO = Security Object file > > Then getting back to the command line > RUNQRY *N ZSC > or whatever file you interested in > > This uses Query/400 through UDB/2 to view the data without having any > Query/400/Definition (that's what the *N signifies) > > You get a quick eyeball of the kind of data that is in there. > Then from this, it gives you an idea of what files would be the most useful > to include in your formal Query definitions. > > You also get a quick education in how come command line access should not > be a privilege for every user. > > So far I have addressed what users have been granted access to what BPCS > stuff through the security "front doors" in which the structure could > conceivably have too many cooks who not have a full understanding of all > the nuances, and do not communicate effectively with each other. > > The issue of who is ACTUALLY accessing what stuff is another topic, and if > any of the access is through some "back door". Another thing I have is a > CL (I believe I posted the core details here a while back) which grabs the > OS/400 message codes associated with security violations, and other topics > of interest to me in my Computer Janitor role, and throws all that stuff > into one convenient location, for easy reference > > I have also made good use of WRKSYSVAL to organize QSYSOPR type stuff into > separate message queues by type of problem. This sort of topic drifts out > of reverse-engineering BPCS obscurity and into 400 Security Administration > ... there is a www.midrange.com list specifically for 400 Security > Management nuances. > > >Al > > > >Can you explain more about the queries you build in exactly what files did you > >run them against? seems what you are doing is somehow what I need to do... I > >needto map all the sec files on BPCS and find out exactly what users are using > >which files/menus etc.. and also, which users have access to aditional menus > >located in files like ZMM, ZMA, ZMO, etc. > > > >Also, if you have a list of what each Z* file has.. that would be great! > > > >I know about pentasafe.. we tried it here too.. not too good not too bad.. I > >prefer tools like Visual Message Center.. real time monitoring... > > > >BTW Im in Bristol-Myers Mexico :) > > > >Cheers > > > > > >Al Mac wrote: > > > > > You cannot get at the stuff that relates to permission for your company to > > > use BPCS itself (SSA license) unless you want to go to jail. > > > > > > Look at the Z* files layout ... ZMA ZSC etc. also some of the ZPA records > > > Use Query/400 or some such tool to create your own reference charts: > > > Who all has access to ORD General Ledger etc. > > > I have one that lists all the menus that selected range of users have > > > access to & where they come in priority on their respective menu lists. > > > I have another that lists for some range of program options, what all menus > > > they show up on. > > > I use these when I am told to setup some new user with all the same stuff > > > as another specified user, with a few variations. > > > > > > Parsing the ZSC file is a bit of a pain. > > > I have not done it, but approach I might suggest > > > dump all the non-blank fields into a humongous array, then sort what you > > > have dumped (SORTA) > > > > > > What I have done, is to create a dummy user in which all the Yes/No fields > > > populated not by Y/N but by letters of the alphabet associated with the > > > BPCSDOC standards identifying the application, then have a Query/400 that > > > charts those core rules putting that dummy user on top to make that part of > > > the chart somewhat readable. > > > > > > Another thing I was interested in was what all programs update some file, > > > or call some program. I did not want to use XRF of BPCS because it has > > > some extremely severe security problems. So I have an *OUTFILE built from > > > IBM GO CMDREF that creates a cross-reference of BPCS programs that do the > > > calling and what they call, then I can do a Query/400 inquiry against > > > that. It not get everything due to soft-coding, but it good enough for my > > > purposes. > > > > > > I also have a job that puts IBM 400 profile data into an *OUTFILE then I > > > run Query/400 against that. > > > > > > Say ... we almost neighbors ... I work in Evansville Indiana, where > > > Bristol-Myers has one of its AS/400 offices. > > > > > > There is an outside vendor tool ... it used to be from www.pentasafe.com > > > but they went through some change in company, and I not up on the product > > > naming ... we got a demo of this at an AS/400 user meeting in Evansville, > > > and if I am not mistaken, I believe it was Bristol-Myers Evansville that > > > had it installed. Designed primarily for Auditors, it looks at your > > > overall security standards, and there are versions of it specifically for > > > AS/400, Windoze, Unix, Linux, you name it, and yes there is one tailored > > > for BPCS (I not remember which versions). > > > > > > Basically it looks for things like people with easily guessable passwords > > > (without telling hacker with this tool which they are), not changed in > > > eons, security officer able to sign on over unsecured Internet connections, > > > a large collection of security checks, that usually are beyond the > > > technical expertise of most of us, then gives a non-technical report how > > > our security compares to various industry standards. > > > > > > UPI has a product (they'll pay me a commission if you buy it and give me > > > credit) in which you can specify specific fields of specific files that you > > > want to track, such as prices for parts, or formula of which chemicals to > > > use in manufacturing that QC checks, or any other sensitive things, then it > > > tells you everyone who messed with that and which programs they used to > > > mess with it, and you can sort it various ways ... e.g. let's see who all > > > accessed the General Ledger, using programs other than those that came with > > > BPCS ... or let's see who all changed ITE rules or other tailoring, did > > > some transactions under the changed rules, then changed them back to what > > > they were before (think embezzlement audit trail). > > > > > > I have also been looking into some security topics that are outside > > > BPCS/400 ... we can discuss off-line if you interested. > > > > > > - > > > Al Macintyre http://www.ryze.com/go/Al9Mac > > > Find BPCS Documentation Suppliers > > > http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html > > > BPCS/400 Computer Janitor at http://www.globalwiretechnologies.com/ > > > > > > >Guys.. > > > > > > > >Is there a way or a tool to get all the security related > > > >permission on BPCS? > > > > > > > >Im trying to find out to what pgms each user has access (like > > > >parsing the zsc file) and also, to what external programs they > > > >have access thru menu maintenance/aditional menus/not core menus? > > > > > > > >Is there such a tool for this or a way to get a compelte report > > > >as to what a user has access to or a reports that shows who has > > > >access to each program? > > > > > > > >Thx for your help. > > > > > > > > > > > >-- > > > >Anton Krall > > > >IT Security Officer > > > >Bristol-Myers Squibb Mexico > > > > > > > >Tel. Directo: 5337-2620 > > > >Conmutador: 5337-2800 > > > >Email: anton.lopez-krall@xxxxxxx > > > >-- > >Anton Krall > >IT Security Officer > >Bristol-Myers Squibb Mexico > > > >Tel. Directo: 5337-2620 > >Conmutador: 5337-2800 > >Email: anton.lopez-krall@xxxxxxx > > - > Al Macintyre http://www.ryze.com/go/Al9Mac > Find BPCS Documentation Suppliers > http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html > BPCS/400 Computer Janitor at http://www.globalwiretechnologies.com/ > Part time may get commission from some BPCS vendors for helping them ... I > will now say in a post if the product I commenting on is also one > potentially involved with this ... not that I have made anything from this yet. > _______________________________________________ > This is the SSA's BPCS ERP System (BPCS-L) mailing list > To post a message email: BPCS-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/bpcs-l > or email: BPCS-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/bpcs-l. > >
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.