|
Hi Again, Darryl, you just made me realize something... If all the security programs are set to adopt the owner's authority and BPCSMENU is owned by SSA (or which ever single group profile is selected) then I should be OK -the step of adding 'CHGGRPA GRPJOB(SSA)' to BPCSMENU is overkill. The only thing is I don't remember which program parameter takes precedence, 'Use adopted authority' or 'User profile' (all the security programs are still set to *USER) or if it's collective... Time for me to read up on this some more. Actually, since Genyphyr supplied me w/ the 4.05 CD BMR #s, I'm all set. Thanks Gernyphyr! Thanks Darryl! Clare! And everyone else! FYI, I do agree that SSA doesn't need *ALLOBJ authority; just would like to also remove it from my users' group profile settings (at least those w/ ODBC access). And I agree w/ Norma, this discussion is somewhat nerve racking! Thanks again. DeeDee Virgei -----Original Message----- From: bpcs-l-bounces+deedee.virgei=nelsonstud.com@xxxxxxxxxxxx [mailto:bpcs-l-bounces+deedee.virgei=nelsonstud.com@xxxxxxxxxxxx] On Behalf Of darryl frankel Sent: Thursday, February 24, 2005 5:31 PM To: 'SSA's BPCS ERP System' Subject: RE: [BPCS-L] Fix that SSA *Allobj Security Exposure! Matters are different when accessing the database using tools such as ODBC drivers. In this instance, you may be advised to: - Revoke all authorities and simply grant authority to a single group profile with all rights required to run BPCS such as SSA. ALLOBJ authority is not required at all. Change your initial program such as BPCSMENU to adopt the owner's authority. In this manner when you sign on, you will not have access to BPCS, until the user has passed BPCS Security, under program control starting with the initial program BPCSMENU. - Create a new user profile for ODBC users to sign on with. This user should then at most have READ rights only to BPCS data libraries. In some shops, you may want to restrict the access to a few files only. Darryl Freinkel Assignment400.com -----Original Message----- From: bpcs-l-bounces+darrylfrankel=assignment400.com@xxxxxxxxxxxx [mailto:bpcs-l-bounces+darrylfrankel=assignment400.com@xxxxxxxxxxxx] On Behalf Of DeeDee Virgei Sent: Thursday, February 24, 2005 3:35 PM To: SSA's BPCS ERP System Subject: RE: [BPCS-L] Fix that SSA *Allobj Security Exposure! Hi, Removing *ALLOBJ authority (or changing it to *USER) does not resolve the issue w/ ODBC and some other PC software; if you have all your users w/ SSA group profile then you are still at risk. Keep in mind Genyphyr's statement "Nor do we any longer require or recommend that the user enrolled in BPCS should have an SSA group profile for any currently supported version of the product..." If my memory serves me correctly, the general solution to this problem is to perform a few steps: 1st (and most relevant) set all BPCS program's USRPRF setting to *OWNER and I believe USEADPAUT setting to *YES (can change w/ CHGPGM command). 2nd verify all BPCS objects are owned by SSA (if not, can change w/ CHGOBJOWN command or use TAATOOL as suggested - should have shipped this way). 3rd for all BPCS files, verify SSA authority is set to *ALL (should have shipped this way), and *PUBLIC authority is set to either *USE or *EXCLUDE depending on how much access you want your users to have outside of BPCS and the green screen (I believe shipped w/ *CHANGE, can change w/ GRTOJBAUT command). The final step is to start removing SSA Group profile from your users' profiles... I've really over simplified this fix. First off, you won't be able to change all the BPCS programs in the 1st step due to the attribute settings on some security programs. That is where OGS comes in play; support can send you these programs w/ the *OWNER setting. Although I'm still not sure what releases they will do this with... A work-around is to change BPCSMENU (the BPCS startup program [CLP]), add "CHGGRPA GRPJOB(SSA)". This will provide you w/ traditional green screen security where users have SSA authority, but are limited due to the "Limit capabilities *YES" setting in their profile. Since this added command only changes the interactive session authority, ODBC and other PC software should not be a threat... A few last points, you will have to adjust file authority (3rd step) if you have other programs/applications that run on the iSeries or other platforms updating BPCS files; ! possibly add additional group authority. BPCS programs (1st step) includes modified and out-of-the-box programs. File authority (3rd step) also applies to non-BPCS files used by modified BPCS programs. Hope this helps. I've gathered this info from the archives... DeeDee Virgei Project Leader Nelson Stud Welding, Inc. -----Original Message----- From: bpcs-l-bounces+deedee.virgei=nelsonstud.com@xxxxxxxxxxxx [mailto:bpcs-l-bounces+deedee.virgei=nelsonstud.com@xxxxxxxxxxxx] On Behalf Of Clare Holtham Sent: Thursday, February 24, 2005 4:36 AM To: SSA's BPCS ERP System Subject: Re: [BPCS-L] Fix that SSA *Allobj Security Exposure! But Tay, It works as shipped. In other words, the SSA Group Profile (which is not shipped as *Allobj, or never was) owns all the BPCS objects, and all the BPCS users are members of that group. *Allobj is a red herring and is not required. In Europe we (when I was with SSA) have always created a secondary profile called SSALOAD which DOES have *Allobj, AND is a member of the SSA group profile (which only needs *USER), and has owner *GRPPRF. This profile can be used for installing BPCS, for installing PTFS, for creating new BPCS environments, etc etc. It is because some consultants have used the SSA group profile to do these jobs that it has been left on customer boxes with *ALLOBJ. cheers, Clare Clare Holtham Director, Small Blue Ltd - Archiving for BPCS Web: www.smallblue.co.uk IBM Certified iSeries Systems Professional Email: Clare.Holtham@xxxxxxxxxxxxxxx ----- Original Message ----- From: <tay@xxxxxxxxxxxxx> To: "SSA's BPCS ERP System" <bpcs-l@xxxxxxxxxxxx> Sent: Thursday, February 24, 2005 9:13 AM Subject: Re: [BPCS-L] Fix that SSA *Allobj Security Exposure! > > I am using 4.5CD version BPCS, my idea are same as what SSA suggest(Profile > *ALLOBJ). Otherwise, you need to individual(or group) define BPCS files > authority use right and also need to study the individual user run programs > related files and individual grant the authority right accordingly. Imagine > that if you have over hundred of users and each user have to run > different(or same) programs(such as ORD500,ORD600, PUR500, INV500 and etc) > and something the user was quit and replace new user. > It will make you crazy !! > > >From :Tay > > -- > This is the SSA's BPCS ERP System (BPCS-L) mailing list > To post a message email: BPCS-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/bpcs-l > or email: BPCS-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/bpcs-l. > > Delivered-To: Clare.Holtham@xxxxxxxxxxxxxx > -- This is the SSA's BPCS ERP System (BPCS-L) mailing list To post a message email: BPCS-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/bpcs-l or email: BPCS-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/bpcs-l. Delivered-To: deedee.virgei@xxxxxxxxxxxxxx -- This is the SSA's BPCS ERP System (BPCS-L) mailing list To post a message email: BPCS-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/bpcs-l or email: BPCS-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/bpcs-l. Delivered-To: darrylfrankel@xxxxxxxxxxxxxxxxx -- This is the SSA's BPCS ERP System (BPCS-L) mailing list To post a message email: BPCS-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/bpcs-l or email: BPCS-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/bpcs-l. Delivered-To: deedee.virgei@xxxxxxxxxxxxxx
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.