Re: [BPCS-L] Sox&BPCS

[Al Mac <macwheel99@xxxxxxxxxxx>]

Lisa

We are also BPCS 405 but CD
We have NOT granted *ALLOBJ to our SSA group
even though a technician at SSA Tech Support advised us to do so

and we have been running BPCS 405 CD without any security problems for 
several years since SSA tech support told us that we needed to make 
everyone a security officer

We have since moved to another outfit to provide our BPCS tech support

However, we have upgraded SSA group to grant very specific authorities we 
want all users to have, such as ability to look at each other's reports.

Unfortunately for SSA at the time we were on SSA tech support, they had 
some technicians whose training in security nuances was somewhat lacking, 
so sometimes we got guidance that had problems from a security standpoint 
... for example, SSA Tech Support walked a non-IT person through how to use 
Interactive SQL in changing contents of BPCS files without going through 
the BPCS Front Door to keep the records in sync with each other.

I failed to talk the dept head involved into using a program written by me 
to get the job done in such a way that we not at risk of el typo, so on a 
daily basis we have someone doing interactive SQL in such a way that a 
keying error could spell disaster.  I tried to go over his head, but senior 
management did not understand the risks in the same way I do ... after all, 
SSA Tech Support said this was an appropriate thing to do, so Mac must be 
mistaken here.

The occasion of SSA Tech Support telling us to make SSA a Master 400 
Security Officer was when I asked how come XREF was not working as 
advertised ... when I learned that the only way to make that application 
work was to make 100% of our users into Master Security Officers, I decided 
that I did not want the XREF application enough to pay that price.

Once you make people high security, then objects they create in the course 
of normal business also require that high security ... it is not simple to 
crank down the security and still have things work right.
-
Al Macintyre  http://www.ryze.com/go/Al9Mac
-
> Genyphyr ...
>
> Interesting that you say that *ALLOBJ authority is NOT required ... even
> for 4.05 (non CD)?  (Technically, it's not that the user profile has
> *ALLOBJ authority ... we were instructed by SSA that the user profile has
> to have SSA as a group profile, and that profile has to have *ALLOBJ
> authority.)  I specifically asked that question of the SSA help desk about
> 9 months ago, and was told that, while there was a  BMR available for
> later versions, it was not available for our version (although we might be
> able to retrofit it to make it work, etc.).  That e-mail from the help
> desk is what I used to document for our auditors why our profiles are set
> the way they are.
>
> Lisa D. Abney
> Manager Development Support
> Sensient Technology
> Phone:  (317) 240-1418
>
>
> Genyphyr Novak <genyphyr.novak@xxxxxxxxxxxxx>
> Sent by: bpcs-l-bounces+lisa.abney=sensient-tech.com@xxxxxxxxxxxx
> 02/23/2005 02:52 PM
> Hello,
>
> I would like to mention: BPCS does NOT require any user to have *ALLOBJ
> authority to run the product. Even when it was recommended to use the SSA
> group profile for users enrolled in BPCS this was not true. Nor do we any
> longer require or recommend that the user enrolled in BPCS should have an
> SSA group profile for any currently supported version of the product
> including BPCS 4.05 CD. Be aware that any user can update BPCS data via
> use
> of their PC even if they do not have command line access by use of ODBC
> connections - so it is not secure if your AS/400 is linked to your PC
> network.
>
> There are BMRs out there (please see the archives for more on this topic)
> delivering recompiled KRSO objects so that User Profile *OWNER is used,
> and
> to secure the command line from adopting too much authority. These BMRs
> ship with README instructions explaining how to use the recompiled
> objects,
> along with an understanding and use of iSeries security features, in order
> to properly protect your BPCS data files.
>
> Thanks,
>
> Genyphyr Novak
> SSA GT R&D
>
> message: 2
> date: Tue, 22 Feb 2005 14:18:36 -0500
> from: Lisa.Abney@xxxxxxxxxxxxxxxxx
> subject: Re: [BPCS-L] Sox&BPCS
>
> Danny ...
>
> We passed our first Sarbanes Oxley audit in December with flying colors.
> It was a LOT of work, but the work was on the development side ... change
> control, developer access to objects, etc.  ... nothing to do with BPCS.
> (And we are on 4.05 ... not a particularly current version!)  The only
> thing they really questioned about BPCS was the fact that that release
> runs with users having all object authority, but once we documented for
> them that that was a requirement of the software, and that we control the
> risks by the other security features we have in place (users not having
> command line access, etc.), that was acceptable.  Is there something in
> particular your auditors are questioning, with regards to BPCS?
>
> Lisa D. Abney
> Manager Development Support
> Sensient Technology
> Phone:  (317) 240-1418--

-
Al Macintyre  http://www.ryze.com/go/Al9Mac
Find BPCS Documentation Suppliers 
http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html
BPCS/400 Computer Janitor at http://www.globalwiretechnologies.com/