|
Al, thank you very much for your explanation. I was very clarifying and a very good starting point. Thank you very much. Al Mac wrote: > I will do another reply later since I do 99% of my e-mail from home, where > I do not have access to our 400, but sometimes bring some print-outs > home. We are on BPCS 405 CD & I believe you are on a higher version, in > which one of the things totally re-written for V6 was how the security > works, so some of what I have done might not be applicable to all of your > requirements. > > If you have not already done so, I suggest you look at BPCSDOC from the DOC > menu, which is a PDM Source File containing many documentation > members. There is a lot of useful information and navigation clues there, > but much of BPCS seems to use the Security by Obscurity philosophy which > makes me very nervous. > > My Query/400 over the Security files are pretty simplistic. > > I have other deals where I use Query/400 to build work files that combine > info from multiple BPCS files then, using join-3 and I found a way to join > query files outside the methods spelled out in IBM documentation. Then I > use those query work files as input to other queries, with the whole thing > in a CL stream of queries regenerating a picture. I like to maximize what > we can get out of Query/400 because I have several non-programmer > co-workers following in my footsteps also using the techniques I figure out. > > One of my IBM *OUTFILEs is a dump of IBM's DSPFD directory of BPCS files, > which I use for a ton of stuff, mainly related to cleaning up obsolete dead > records. If you have command line access, you can see a lot of what the > files are used for yourself: > > WRKOBJ Z* enter and scroll, or WRKOBJ Z* F4 and limit the view a bit more > then scroll > This will show you what all Z files are out there in the library list, with > what names (which can be misleading sometimes). In addition to physical > files, something else of interest are data structures that have the layouts > of security related records in the ZPA file, which has many records with > different layouts for different functions. > > So jot down the file names > ZMA = Menu/User/Seq (can include people no longer in IBM user profiles) > ZMM = Menu titles (some inactive) > ZMO = Menu individual lines - what text description what program > ZOM = Menu options > ZSC = Security Master file > ZSO = Security Object file > > Then getting back to the command line > RUNQRY *N ZSC > or whatever file you interested in > > This uses Query/400 through UDB/2 to view the data without having any > Query/400/Definition (that's what the *N signifies) > > You get a quick eyeball of the kind of data that is in there. > Then from this, it gives you an idea of what files would be the most useful > to include in your formal Query definitions. > > You also get a quick education in how come command line access should not > be a privilege for every user. > > So far I have addressed what users have been granted access to what BPCS > stuff through the security "front doors" in which the structure could > conceivably have too many cooks who not have a full understanding of all > the nuances, and do not communicate effectively with each other. > > The issue of who is ACTUALLY accessing what stuff is another topic, and if > any of the access is through some "back door". Another thing I have is a > CL (I believe I posted the core details here a while back) which grabs the > OS/400 message codes associated with security violations, and other topics > of interest to me in my Computer Janitor role, and throws all that stuff > into one convenient location, for easy reference > > I have also made good use of WRKSYSVAL to organize QSYSOPR type stuff into > separate message queues by type of problem. This sort of topic drifts out > of reverse-engineering BPCS obscurity and into 400 Security Administration > ... there is a www.midrange.com list specifically for 400 Security > Management nuances. > > >Al > > > >Can you explain more about the queries you build in exactly what files did > >you > >run them against? seems what you are doing is somehow what I need to do... I > >needto map all the sec files on BPCS and find out exactly what users are > >using > >which files/menus etc.. and also, which users have access to aditional menus > >located in files like ZMM, ZMA, ZMO, etc. > > > >Also, if you have a list of what each Z* file has.. that would be great! > > > >I know about pentasafe.. we tried it here too.. not too good not too bad.. I > >prefer tools like Visual Message Center.. real time monitoring... > > > >BTW Im in Bristol-Myers Mexico :) > > > >Cheers > > > > > >Al Mac wrote: > > > > > You cannot get at the stuff that relates to permission for your company to > > > use BPCS itself (SSA license) unless you want to go to jail. > > > > > > Look at the Z* files layout ... ZMA ZSC etc. also some of the ZPA records > > > Use Query/400 or some such tool to create your own reference charts: > > > Who all has access to ORD General Ledger etc. > > > I have one that lists all the menus that selected range of users have > > > access to & where they come in priority on their respective menu lists. > > > I have another that lists for some range of program options, what all > > > menus > > > they show up on. > > > I use these when I am told to setup some new user with all the same stuff > > > as another specified user, with a few variations. > > > > > > Parsing the ZSC file is a bit of a pain. > > > I have not done it, but approach I might suggest > > > dump all the non-blank fields into a humongous array, then sort what you > > > have dumped (SORTA) > > > > > > What I have done, is to create a dummy user in which all the Yes/No fields > > > populated not by Y/N but by letters of the alphabet associated with the > > > BPCSDOC standards identifying the application, then have a Query/400 that > > > charts those core rules putting that dummy user on top to make that part > > > of > > > the chart somewhat readable. > > > > > > Another thing I was interested in was what all programs update some file, > > > or call some program. I did not want to use XRF of BPCS because it has > > > some extremely severe security problems. So I have an *OUTFILE built from > > > IBM GO CMDREF that creates a cross-reference of BPCS programs that do the > > > calling and what they call, then I can do a Query/400 inquiry against > > > that. It not get everything due to soft-coding, but it good enough for my > > > purposes. > > > > > > I also have a job that puts IBM 400 profile data into an *OUTFILE then I > > > run Query/400 against that. > > > > > > Say ... we almost neighbors ... I work in Evansville Indiana, where > > > Bristol-Myers has one of its AS/400 offices. > > > > > > There is an outside vendor tool ... it used to be from www.pentasafe.com > > > but they went through some change in company, and I not up on the product > > > naming ... we got a demo of this at an AS/400 user meeting in Evansville, > > > and if I am not mistaken, I believe it was Bristol-Myers Evansville that > > > had it installed. Designed primarily for Auditors, it looks at your > > > overall security standards, and there are versions of it specifically for > > > AS/400, Windoze, Unix, Linux, you name it, and yes there is one tailored > > > for BPCS (I not remember which versions). > > > > > > Basically it looks for things like people with easily guessable passwords > > > (without telling hacker with this tool which they are), not changed in > > > eons, security officer able to sign on over unsecured Internet > > > connections, > > > a large collection of security checks, that usually are beyond the > > > technical expertise of most of us, then gives a non-technical report how > > > our security compares to various industry standards. > > > > > > UPI has a product (they'll pay me a commission if you buy it and give me > > > credit) in which you can specify specific fields of specific files that > > > you > > > want to track, such as prices for parts, or formula of which chemicals to > > > use in manufacturing that QC checks, or any other sensitive things, then > > > it > > > tells you everyone who messed with that and which programs they used to > > > mess with it, and you can sort it various ways ... e.g. let's see who all > > > accessed the General Ledger, using programs other than those that came > > > with > > > BPCS ... or let's see who all changed ITE rules or other tailoring, did > > > some transactions under the changed rules, then changed them back to what > > > they were before (think embezzlement audit trail). > > > > > > I have also been looking into some security topics that are outside > > > BPCS/400 ... we can discuss off-line if you interested. > > > > > > - > > > Al Macintyre http://www.ryze.com/go/Al9Mac > > > Find BPCS Documentation Suppliers > > > http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html > > > BPCS/400 Computer Janitor at http://www.globalwiretechnologies.com/ > > > > > > >Guys.. > > > > > > > >Is there a way or a tool to get all the security related > > > >permission on BPCS? > > > > > > > >Im trying to find out to what pgms each user has access (like > > > >parsing the zsc file) and also, to what external programs they > > > >have access thru menu maintenance/aditional menus/not core menus? > > > > > > > >Is there such a tool for this or a way to get a compelte report > > > >as to what a user has access to or a reports that shows who has > > > >access to each program? > > > > > > > >Thx for your help. > > > > > > > > > > > >-- > > > >Anton Krall > > > >IT Security Officer > > > >Bristol-Myers Squibb Mexico > > > > > > > >Tel. Directo: 5337-2620 > > > >Conmutador: 5337-2800 > > > >Email: anton.lopez-krall@xxxxxxx > > > >-- > >Anton Krall > >IT Security Officer > >Bristol-Myers Squibb Mexico > > > >Tel. Directo: 5337-2620 > >Conmutador: 5337-2800 > >Email: anton.lopez-krall@xxxxxxx > > - > Al Macintyre http://www.ryze.com/go/Al9Mac > Find BPCS Documentation Suppliers > http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html > BPCS/400 Computer Janitor at http://www.globalwiretechnologies.com/ > Part time may get commission from some BPCS vendors for helping them ... I > will now say in a post if the product I commenting on is also one > potentially involved with this ... not that I have made anything from this > yet. > _______________________________________________ > This is the SSA's BPCS ERP System (BPCS-L) mailing list > To post a message email: BPCS-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/bpcs-l > or email: BPCS-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/bpcs-l. -- Anton Krall IT Security Officer Bristol-Myers Squibb Mexico Tel. Directo: 5337-2620 Conmutador: 5337-2800 Email: anton.lopez-krall@xxxxxxx
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.