× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. BPCS-L
  3. February 2005

Re: Adopted Rights





Hello,

The V6.1 release shipped that way originally (ie programs with User Profile
*USER and group profile SSA owning all with it recommended that users
belong to group SSA). But the V6.1.01 release delivered BMR 51582 and the
installation instructions contain a section explaining to users how to set
up the system to avoid giving all users the SSA Group profile via use of
program *OWNER adopted authority.

So the quick way would be to review your install CDs and find the
installation guide for 6.1.01 and check the appendix for the guide to
having a secured database in BPCS. If you don't have the install CDs you
would have to get back on support to get the instructions. But with some
research into general iSeries authority issues you could probably figure it
out with what is already posted to Midrange on this topic.

http://archive.midrange.com/bpcs-l/200207/msg00081.html
http://archive.midrange.com/bpcs-l/200003/msg00302.html

SSA R&D does not any longer recommend that companies run BPCS with that old
security model of the SSA group profile for all BPCS users for exactly the
reasons that Clare stated. We recommend instead that they use the program
*OWNER adopted authority model where only the BPCS program's owner has full
authority to the files, and this is the authority checked when BPCS runs.
This means only people with authority to the BPCS files outside of BPCS
will be able to update those files (ie no one but a person with an *ALLOBJ
user profile). And only people with authority to the BPCS programs can run
the programs.

Thus the average user on your system who does not have *ALLOBJ authority
will only gain access to the data files via official BPCS programs, and not
SQL, ODBC or any other method including PCs. (People with *ALLOBJ can never
be kept out, which is why it is wise to guard against this. You don't need
*SECOFR authority to do damage to a system - *ALLOBJ is quite enough
really.)

The use of the *OWNER adopted authority technique as applied to BPCS is
explained on every new installation manual for every release of BPCS which
has shipped since that original BMR was completed several years ago and is
not a state secret - it is in fact just using standard iSeries authority
models which is information you could also glean from the IBM iSeries
support website.

The set up for this security model on supported BPCS releases prior to
V6.1.01 requires BMRs so that the BPCS programs which are non-observable
are re-delivered with the program set to adopt the authority of the *OWNER
of the program, rather than the *USER as older versions of BPCS were
shipped. The command line and attention key access has also been secured in
BPCS to *prevent* it from adopting the program *OWNER authority, and
instead will revert the user to their own original iSeries authorities when
on a command line within BPCS.

For all currently supported BPCS releases (including BPCS CD if you are on
a support contract) there are now completed BMRs you can request that will
allow you to use this set up and which do come with a full README file
explaining the concept. An understanding of basic iSeries security concepts
is also required.

Thanks,

Genyphyr Novak
Senior Systems Software Engineer
SSA Global R&D
E-mail: genyphyr.novak@xxxxxxxxxxxxx







message: 2
date: Wed, 2 Feb 2005 09:30:09 -0500 (EST)
from: gerry harris <harris_ger@xxxxxxxx>
subject: [BPCS-L] Adopted Rights


Hello

V61.01 MM

Is it true when Users sign-on to BPCS they automatically adopt *All
authorities to all BPCS objects.

I searched in your archives and noticed some previous postings concerning
this issue. Someone mentioned SSA had BMRs and white papers to correct this
issue.

Unfortunately our shop has a NO-OGS policy. Is there a quick way to correct
this issue without re-inventing the wheel?

Thanks

------------------------------

message: 8
date: Thu, 3 Feb 2005 14:57:23 -0000
from: "Clare Holtham" <Clare.Holtham@xxxxxxxxxxxxxx>
subject: Re: [BPCS-L] Adopted Rights

Hello Gerry,

BPCS is shipped with all of the objects owned by the Group Profile SSA.
Normally all BPCS users are set up as members of the SSA group profile.
This
gives them access to all of the BPCS objects with all rights. This system
worked well in the past when users only had green screens, as they could be
restricted from command line use. They could only access BPCS via the
menus.
However, if your users have PCs, then this could be dangerous as they could
potentially access a BPCS file via something like MSAccess, and they would
be able to change or delete it, either deliberately or accidentally.
To prevent this happening, you could restrict BPCS users to green screen
apps, and give any that needed PC access (finance usually) separate user
ids
that were not members of the SSA profile.
Or you could change the way things work by using 'adopted authority'
(another AS/400 term). To do this you would need to change a couple of
programs in BPCS, and then remove the SSA profile from your users. SSA have
a document that details how this can be done, or you could get help from us
(if you are in Europe), or someone like Unbeaten Path (if you are in the
US)
at www.unbeatenpathintl.com
who also have some other Security oriented products.
The other issue to watch out for is (what happens at many BPCS sites) where
your SSA group profile has *Secofr authority (it only need have *User).
Here
you could be giving your users access not only to accidentally deleting
BPCS
files, but also to accidentally doing a power down sys or similar!!

Hope this helps,

Clare

Clare Holtham
Director, Small Blue Ltd - Archiving for BPCS
Web: www.smallblue.co.uk
IBM Certified iSeries Systems Professional
Email: Clare.Holtham@xxxxxxxxxxxxxxx

----- Original Message -----
From: "gerry harris" <harris_ger@xxxxxxxx>
To: <BPCS-L@xxxxxxxxxxxx>
Sent: Wednesday, February 02, 2005 2:30 PM
Subject: [BPCS-L] Adopted Rights


>
> Hello
>
> V61.01 MM
>
> Is it true when Users sign-on to BPCS they automatically adopt *All
authorities to all BPCS objects.
>
> I searched in your archives and noticed some previous postings concerning
this issue. Someone mentioned SSA had BMRs and white papers to correct this
issue.
>
> Unfortunately our shop has a NO-OGS policy. Is there a quick way to
correct this issue without re-inventing the wheel?
>
> Thanks
>
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.