× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. BPCS-L
  3. February 2005

Re: Sox&BPCS

Lisa

We are also BPCS 405 but CD
We have NOT granted *ALLOBJ to our SSA group
even though a technician at SSA Tech Support advised us to do so

and we have been running BPCS 405 CD without any security problems for several years since SSA tech support told us that we needed to make everyone a security officer

We have since moved to another outfit to provide our BPCS tech support

However, we have upgraded SSA group to grant very specific authorities we want all users to have, such as ability to look at each other's reports.

Unfortunately for SSA at the time we were on SSA tech support, they had some technicians whose training in security nuances was somewhat lacking, so sometimes we got guidance that had problems from a security standpoint ... for example, SSA Tech Support walked a non-IT person through how to use Interactive SQL in changing contents of BPCS files without going through the BPCS Front Door to keep the records in sync with each other.

I failed to talk the dept head involved into using a program written by me to get the job done in such a way that we not at risk of el typo, so on a daily basis we have someone doing interactive SQL in such a way that a keying error could spell disaster. I tried to go over his head, but senior management did not understand the risks in the same way I do ... after all, SSA Tech Support said this was an appropriate thing to do, so Mac must be mistaken here.

The occasion of SSA Tech Support telling us to make SSA a Master 400 Security Officer was when I asked how come XREF was not working as advertised ... when I learned that the only way to make that application work was to make 100% of our users into Master Security Officers, I decided that I did not want the XREF application enough to pay that price.

Once you make people high security, then objects they create in the course of normal business also require that high security ... it is not simple to crank down the security and still have things work right.
-
Al Macintyre http://www.ryze.com/go/Al9Mac
- 
Genyphyr ...

Interesting that you say that *ALLOBJ authority is NOT required ... even
for 4.05 (non CD)?  (Technically, it's not that the user profile has
*ALLOBJ authority ... we were instructed by SSA that the user profile has
to have SSA as a group profile, and that profile has to have *ALLOBJ
authority.)  I specifically asked that question of the SSA help desk about
9 months ago, and was told that, while there was a  BMR available for
later versions, it was not available for our version (although we might be
able to retrofit it to make it work, etc.).  That e-mail from the help
desk is what I used to document for our auditors why our profiles are set
the way they are.

Lisa D. Abney
Manager Development Support
Sensient Technology
Phone:  (317) 240-1418


Genyphyr Novak <genyphyr.novak@xxxxxxxxxxxxx>
Sent by: bpcs-l-bounces+lisa.abney=sensient-tech.com@xxxxxxxxxxxx
02/23/2005 02:52 PM
Hello,

I would like to mention: BPCS does NOT require any user to have *ALLOBJ
authority to run the product. Even when it was recommended to use the SSA
group profile for users enrolled in BPCS this was not true. Nor do we any
longer require or recommend that the user enrolled in BPCS should have an
SSA group profile for any currently supported version of the product
including BPCS 4.05 CD. Be aware that any user can update BPCS data via
use
of their PC even if they do not have command line access by use of ODBC
connections - so it is not secure if your AS/400 is linked to your PC
network.

There are BMRs out there (please see the archives for more on this topic)
delivering recompiled KRSO objects so that User Profile *OWNER is used,
and
to secure the command line from adopting too much authority. These BMRs
ship with README instructions explaining how to use the recompiled
objects,
along with an understanding and use of iSeries security features, in order
to properly protect your BPCS data files.

Thanks,

Genyphyr Novak
SSA GT R&D

message: 2
date: Tue, 22 Feb 2005 14:18:36 -0500
from: Lisa.Abney@xxxxxxxxxxxxxxxxx
subject: Re: [BPCS-L] Sox&BPCS

Danny ...

We passed our first Sarbanes Oxley audit in December with flying colors.
It was a LOT of work, but the work was on the development side ... change
control, developer access to objects, etc.  ... nothing to do with BPCS.
(And we are on 4.05 ... not a particularly current version!)  The only
thing they really questioned about BPCS was the fact that that release
runs with users having all object authority, but once we documented for
them that that was a requirement of the software, and that we control the
risks by the other security features we have in place (users not having
command line access, etc.), that was acceptable.  Is there something in
particular your auditors are questioning, with regards to BPCS?

Lisa D. Abney
Manager Development Support
Sensient Technology
Phone:  (317) 240-1418--

-
Al Macintyre http://www.ryze.com/go/Al9Mac
Find BPCS Documentation Suppliers http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html
BPCS/400 Computer Janitor at http://www.globalwiretechnologies.com/

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.