Dear Jim ~ response #3, Response #2 spoke about the distinction between the authority granted by BPCS SYS600 to use BPCS objects and the outright ownership of BPCS objects granted by OS/400 to all members of the SSA group profile. That distinction opens the door for BPCS user ROGERCOBY to delete the entire BPCS item master file even though he's excluded from item master maintenance. SOX auditors would surely complain about that security risk. Please click here: http://www.unbeatenpathintl.com/9sixeye-openers/source/1.html for more details about the distinction between the use and ownership of objects; look for the subject entitled: >> Drawing the line between use and ownership The same URL presents five other topics nominated by BPCS technical experts as the most surprising OS/400 security eye-openers revealed by our new risk assessment product: Bill of Health (tm) Security Diagnostics and Rx for iSeries. Here are the other five titles: >> Like father like son (el hijo del tigre sale pintado) >> Not all batch jobs are created equal >> Over-the-horizon radar for exit point vulnerabilities >> Another invention breeds another vulnerability: validation lists >> Finding vulnerable directories Please see these subsequent responses for BPCS/SOX topics: #4 ~~ learn about dozens of other OS/400 security risks identified by Bill of Health software. #5 ~~ information about a much more SOX-friendly idea than BPCS' clunky SYS600 security system. #6 ~~ learn how the PCAOB interpretation of SOX compels external auditors to look at the details of each BPCS business processes to identify internal control deficits and the consequent BPCS data integrity issues. #7 ~~ information about our award-winning Stitch-in-Time (tm) Data Integrity software that enables you to respond to SOX auditor inquiries about the integrity of DB2 information. #8 ~~ introduction to several other clever and affordable Stocking Stuffers (tm) for SOX products designed to help enterprises prepare for Sarbanes-Oxley. God bless, Milt Habeck Unbeaten Path International Toll free North America: (888) 874-8008 International voice: (262) 681-3151 European contact: (44) 1-737-824248 mhabeck@xxxxxxxxxx www.unbeatenpathintl.com ++++++++ +++++++ +++++++ +++++++ +++++++ +++++ From: Reinardy, James To: bpcs-l@xxxxxxxxxxxx Sent: Wednesday, June 09, 2004 3:17 PM Subject: DB2 Users Hello All, We are running BPCS 6.04 on iSeries. I am trying to understand the relationship between iSeries users, BPCS users and DB2 file access. The concern is arising because of Sarbanes-Oxley. Our auditors are suggesting that we need to lock down file privileges against the BPCS database, but we are a little unclear about what user BPCS uses for data access against DB2. Is it the individual user that is logged into BPCS, that user with a changed profile (SSA perhaps vs. *PUBLIC), or some other generic user? The idea here is to restrict access on a file by file basis for AS400Query, SQL queries, ODBC connections, etc. However, we want to be sure if we lock things down that we don't break BPCS screens and batch jobs. Any suggestions on how to improve our understanding in this area would be appreciated. Regards, Jim Reinardy Director-IS Badger Meter, Inc.