× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. BPCS-L
  3. July 2003

Re: Security Files and reports

Al, thank you very much for your explanation. I was very clarifying and a very 
good
starting point.

Thank you very much.



Al Mac wrote:

> I will do another reply later since I do 99% of my e-mail from home, where
> I do not have access to our 400, but sometimes bring some print-outs
> home.  We are on BPCS 405 CD & I believe you are on a higher version, in
> which one of the things totally re-written for V6 was how the security
> works, so some of what I have done might not be applicable to all of your
> requirements.
>
> If you have not already done so, I suggest you look at BPCSDOC from the DOC
> menu, which is a PDM Source File containing many documentation
> members.  There is a lot of useful information and navigation clues there,
> but much of BPCS seems to use the Security by Obscurity philosophy which
> makes me very nervous.
>
> My Query/400 over the Security files are pretty simplistic.
>
> I have other deals where I use Query/400 to build work files that combine
> info from multiple BPCS files then, using join-3 and I found a way to join
> query files outside the methods spelled out in IBM documentation.  Then I
> use those query work files as input to other queries, with the whole thing
> in a CL stream of queries regenerating a picture.  I like to maximize what
> we can get out of Query/400 because I have several non-programmer
> co-workers following in my footsteps also using the techniques I figure out.
>
> One of my IBM *OUTFILEs is a dump of IBM's DSPFD directory of BPCS files,
> which I use for a ton of stuff, mainly related to cleaning up obsolete dead
> records.  If you have command line access, you can see a lot of what the
> files are used for yourself:
>
> WRKOBJ Z* enter and scroll, or WRKOBJ Z* F4 and limit the view a bit more
> then scroll
> This will show you what all Z files are out there in the library list, with
> what names (which can be misleading sometimes).  In addition to physical
> files, something else of interest are data structures that have the layouts
> of security related records in the ZPA file, which has many records with
> different layouts for different functions.
>
> So jot down the file names
> ZMA = Menu/User/Seq (can include people no longer in IBM user profiles)
> ZMM = Menu titles (some inactive)
> ZMO = Menu individual lines - what text description what program
> ZOM = Menu options
> ZSC = Security Master file
> ZSO = Security Object file
>
> Then getting back to the command line
> RUNQRY *N ZSC
> or whatever file you interested in
>
> This uses Query/400 through UDB/2 to view the data without having any
> Query/400/Definition (that's what the *N signifies)
>
> You get a quick eyeball of the kind of data that is in there.
> Then from this, it gives you an idea of what files would be the most useful
> to include in your formal Query definitions.
>
> You also get a quick education in how come command line access should not
> be a privilege for every user.
>
> So far I have addressed what users have been granted access to what BPCS
> stuff through the security "front doors" in which the structure could
> conceivably have too many cooks who not have a full understanding of all
> the nuances, and do not communicate effectively with each other.
>
> The issue of who is ACTUALLY accessing what stuff is another topic, and if
> any of the access is through some "back door".  Another thing I have is a
> CL (I believe I posted the core details here a while back) which grabs the
> OS/400 message codes associated with security violations, and other topics
> of interest to me in my Computer Janitor role, and throws all that stuff
> into one convenient location, for easy reference
>
> I have also made good use of WRKSYSVAL to organize QSYSOPR type stuff into
> separate message queues by type of problem.  This sort of topic drifts out
> of reverse-engineering BPCS obscurity and into 400 Security Administration
> ... there is a www.midrange.com list specifically for 400 Security
> Management nuances.
>
> >Al
> >
> >Can you explain more about the queries you build in exactly what files did 
> >you
> >run them against? seems what you are doing is somehow what I need to do... I
> >needto map all the sec files on BPCS and find out exactly what users are 
> >using
> >which files/menus etc.. and also, which users have access to aditional menus
> >located in files like ZMM, ZMA, ZMO, etc.
> >
> >Also, if you have a list of what each Z* file has.. that would be great!
> >
> >I know about pentasafe.. we tried it here too.. not too good not too bad.. I
> >prefer tools like Visual Message Center.. real time monitoring...
> >
> >BTW Im in Bristol-Myers Mexico :)
> >
> >Cheers
> >
> >
> >Al Mac wrote:
> >
> > > You cannot get at the stuff that relates to permission for your company to
> > > use BPCS itself (SSA license) unless you want to go to jail.
> > >
> > > Look at the Z* files layout ... ZMA ZSC etc. also some of the ZPA records
> > > Use Query/400 or some such tool to create your own reference charts:
> > > Who all has access to ORD General Ledger etc.
> > > I have one that lists all the menus that selected range of users have
> > > access to & where they come in priority on their respective menu lists.
> > > I have another that lists for some range of program options, what all 
> > > menus
> > > they show up on.
> > > I use these when I am told to setup some new user with all the same stuff
> > > as another specified user, with a few variations.
> > >
> > > Parsing the ZSC file is a bit of a pain.
> > > I have not done it, but approach I might suggest
> > > dump all the non-blank fields into a humongous array, then sort what you
> > > have dumped (SORTA)
> > >
> > > What I have done, is to create a dummy user in which all the Yes/No fields
> > > populated not by Y/N but by letters of the alphabet associated with the
> > > BPCSDOC standards identifying the application, then have a Query/400 that
> > > charts those core rules putting that dummy user on top to make that part 
> > > of
> > > the chart somewhat readable.
> > >
> > > Another thing I was interested in was what all programs update some file,
> > > or call some program.  I did not want to use XRF of BPCS because it has
> > > some extremely severe security problems.  So I have an *OUTFILE built from
> > > IBM GO CMDREF that creates a cross-reference of BPCS programs that do the
> > > calling and what they call, then I can do a Query/400 inquiry against
> > > that.  It not get everything due to soft-coding, but it good enough for my
> > > purposes.
> > >
> > > I also have a job that puts IBM 400 profile data into an *OUTFILE then I
> > > run Query/400 against that.
> > >
> > > Say ... we almost neighbors ... I work in Evansville Indiana, where
> > > Bristol-Myers has one of its AS/400 offices.
> > >
> > > There is an outside vendor tool ... it used to be from www.pentasafe.com
> > > but they went through some change in company, and I not up on the product
> > > naming ... we got a demo of this at an AS/400 user meeting in Evansville,
> > > and if I am not mistaken, I believe it was Bristol-Myers Evansville that
> > > had it installed.  Designed primarily for Auditors, it looks at your
> > > overall security standards, and there are versions of it specifically for
> > > AS/400, Windoze, Unix, Linux, you name it, and yes there is one tailored
> > > for BPCS (I not remember which versions).
> > >
> > > Basically it looks for things like people with easily guessable passwords
> > > (without telling hacker with this tool which they are), not changed in
> > > eons, security officer able to sign on over unsecured Internet 
> > > connections,
> > > a large collection of security checks, that usually are beyond the
> > > technical expertise of most of us, then gives a non-technical report how
> > > our security compares to various industry standards.
> > >
> > > UPI has a product (they'll pay me a commission if you buy it and give me
> > > credit) in which you can specify specific fields of specific files that 
> > > you
> > > want to track, such as prices for parts, or formula of which chemicals to
> > > use in manufacturing that QC checks, or any other sensitive things, then 
> > > it
> > > tells you everyone who messed with that and which programs they used to
> > > mess with it, and you can sort it various ways ... e.g. let's see who all
> > > accessed the General Ledger, using programs other than those that came 
> > > with
> > > BPCS ... or let's see who all changed ITE rules or other tailoring, did
> > > some transactions under the changed rules, then changed them back to what
> > > they were before (think embezzlement audit trail).
> > >
> > > I have also been looking into some security topics that are outside
> > > BPCS/400 ... we can discuss off-line if you interested.
> > >
> > > -
> > > Al Macintyre  http://www.ryze.com/go/Al9Mac
> > > Find BPCS Documentation Suppliers
> > > http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html
> > > BPCS/400 Computer Janitor at http://www.globalwiretechnologies.com/
> > >
> > > >Guys..
> > > >
> > > >Is there a way or a tool to get all the security related
> > > >permission on BPCS?
> > > >
> > > >Im trying to find out to what pgms each user has access (like
> > > >parsing the zsc file) and also, to what external programs they
> > > >have access thru menu maintenance/aditional menus/not core menus?
> > > >
> > > >Is there such a tool for this or a way to get a compelte report
> > > >as to what a user has access to  or a reports that shows who has
> > > >access to each program?
> > > >
> > > >Thx for your help.
> > > >
> > > >
> > > >--
> > > >Anton Krall
> > > >IT Security Officer
> > > >Bristol-Myers Squibb Mexico
> > > >
> > > >Tel. Directo: 5337-2620
> > > >Conmutador: 5337-2800
> > > >Email: anton.lopez-krall@xxxxxxx
> >
> >--
> >Anton Krall
> >IT Security Officer
> >Bristol-Myers Squibb Mexico
> >
> >Tel. Directo: 5337-2620
> >Conmutador: 5337-2800
> >Email: anton.lopez-krall@xxxxxxx
>
> -
> Al Macintyre  http://www.ryze.com/go/Al9Mac
> Find BPCS Documentation Suppliers
> http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html
> BPCS/400 Computer Janitor at http://www.globalwiretechnologies.com/
> Part time may get commission from some BPCS vendors for helping them ... I
> will now say in a post if the product I commenting on is also one
> potentially involved with this ... not that I have made anything from this 
> yet.
> _______________________________________________
> This is the SSA's BPCS ERP System (BPCS-L) mailing list
> To post a message email: BPCS-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/bpcs-l
> or email: BPCS-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/bpcs-l.

--
Anton Krall
IT Security Officer
Bristol-Myers Squibb Mexico

Tel. Directo: 5337-2620
Conmutador: 5337-2800
Email: anton.lopez-krall@xxxxxxx

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.