× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. BPCS-L
  3. February 2005

Re: Sox&BPCS

Genyphyr,

You are correct that SSA no longer requires the use of the group profile SSA
to grant OS/400 authority to the BPCS objects.  However the BMR and README
document are only available to those customers who are currently on OGS.

Unbeaten Path has invented an approach that mitigates SSA group profile BPCS
security problem. It's a pre-packaged service at a very low fixed price and
is called 'Batten Down the Hatches'.

Information about 'Batten Down the Hatches' can be found at:
        http://unbeatenpathintl.com/battendown/source/1.html

Thanks,

Dean A. Olson
Director of Software Technology
Unbeaten Path International
888-874-8008 North America
262-681-3151 International
contactus@xxxxxxxxxx
www.upisox.com


----- Original Message ----- 
From: "Genyphyr Novak" <genyphyr.novak@xxxxxxxxxxxxx>
To: <bpcs-l@xxxxxxxxxxxx>
Sent: Wednesday, February 23, 2005 1:52 PM
Subject: Re: [BPCS-L] Sox&BPCS



 Hello,

I would like to mention: BPCS does NOT require any user to have *ALLOBJ
authority to run the product. Even when it was recommended to use the SSA
group profile for users enrolled in BPCS this was not true. Nor do we any
longer require or recommend that the user enrolled in BPCS should have an
SSA group profile for any currently supported version of the product
including BPCS 4.05 CD. Be aware that any user can update BPCS data via use
of their PC even if they do not have command line access by use of ODBC
connections - so it is not secure if your AS/400 is linked to your PC
network.

There are BMRs out there (please see the archives for more on this topic)
delivering recompiled KRSO objects so that User Profile *OWNER is used, and
to secure the command line from adopting too much authority. These BMRs
ship with README instructions explaining how to use the recompiled objects,
along with an understanding and use of iSeries security features, in order
to properly protect your BPCS data files.

Thanks,

Genyphyr Novak
SSA GT R&D

message: 2
date: Tue, 22 Feb 2005 14:18:36 -0500
from: Lisa.Abney@xxxxxxxxxxxxxxxxx
subject: Re: [BPCS-L] Sox&BPCS

Danny ...

We passed our first Sarbanes Oxley audit in December with flying colors.
It was a LOT of work, but the work was on the development side ... change
control, developer access to objects, etc.  ... nothing to do with BPCS.
(And we are on 4.05 ... not a particularly current version!)  The only
thing they really questioned about BPCS was the fact that that release
runs with users having all object authority, but once we documented for
them that that was a requirement of the software, and that we control the
risks by the other security features we have in place (users not having
command line access, etc.), that was acceptable.  Is there something in
particular your auditors are questioning, with regards to BPCS?

Lisa D. Abney
Manager Development Support
Sensient Technology
Phone:  (317) 240-1418--

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.