× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



I am on BPCS 405 CD and I had an idea that perhaps someone can steer me appropriately.

From time to time, a question comes up ... who all is able to change this data in these files, or who all looking at this data, and the question is really who all actually did so, irrespective of how good a job we did with our security design. We want to be able to find out, without putting a big strain on the 400 with a lot of journaling. I warn the questionner about BPCS Security not being seamless in our implementation, but 99% of our breaches are due to internal mistakes.

When someone does something in OS/400 that is a violation of security, like forgetting their password, or trying to connect using an improper configuration, a message goes to the system log that we can then parse through DSPLOG to notice all such instances.

But when someone does something in BPCS that results in BPCS Security saying HEY you not allowed into this or that, there is no memory that IT can view to see who has been bumping up against what constraints, exploring the limits of Security settings.

In DSPLOG we can see who signed on and off the 400, and what jobs ran via JOBQ.
There is no log of who accessed what ON LINE.

My thought is that wherever it is that BPCS Security checks, between someone taking a menu option, and actually running the program, does this user have BPCS Security permission to run this job, and if not, instead of giving them access, it gives them an error message.

Where ever that is, we might interject a modification, right before giving the user an error message, send a message to QSECBPCS (Message Queue we would create) to record a log of all such instances ... user work station program & reason for failed access

But we could also insert something that writes to a history file ... a log of who is running what programs. Then when someone complains that the General Ledger is messed up, or there is some bad info in the item master, or whatever it is, we can then list all the people who recently ran the programs that update whatever it is that someone is asking about.

I am wondering if anyone has already done this, knows where the software is that can be modified, and what kinds of gotchas are out there.

-
Al Macintyre http://www.ryze.com/go/Al9Mac
Find BPCS Documentation Suppliers http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html
BPCS/400 Computer Janitor at http://www.globalwiretechnologies.com/

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.