Re: Re: BPCS - Program Security -- BPCS-L

Shalom

BPCS Security was dramatically re-written going from version V4 to V6 to address many long standing issues with prior versions.

Some of the security threats are non-obvious to many IT and management staff, and BPCS security can be cumbersome to navigate and manage. In general, we trust people to behave responsibly, whether ordinary users, or IT people, but opportunities abound for various kinds of human error and embezzlement to go unnoticed. For example, an error is made in defining an item, we conclude from the data that it is unprofitable ... it is not unprofitable, the data is wrong, but this is non-obvious. Lots of things in BPCS are non-obvious, not just errors in security, it is a systemic problem.

What usually is noticed first is that many people need to access INV100 to change lots of stuff unrelated to each other, and it is very easy for someone to accidentally field exit thru some field managed by some other corporate dept, and mess things up, with no one the wiser.

Solution ... clone the INV100 software creating INVI* this and that variants where customer service updates the list price and last quote but not much else, purchasing updates info on last vendor contract, engineers update revision level, plant maintenance updates tooling ... each dept getting at THEIR fields, then limit who has authority to these different areas.

UPI and other firms have supplied add-on products to help resolve this area: * security files management made friendly * security audit to identify weaknesses in a format that tells management what the problems are, without providing info useful to a hacker, such as how many passwords are easy to guess and have not been changed in eons, or if virtual sessions are setup so that a potential hacker can have infinite password guesses. * data base monitoring that is BPCS field specific to sensible interests, such as who changed the price, shipped out some stuff, then changed the price back; or changed the GL rules, so that inventory transactions invisible from GL, then walked off with a pile of inventory, then changed the GL rules back again. * conversion tool to get BPCS security from vulnerable group authority to rules changed to more modern theories on good 400 security, and get the whole task accomplished smoothly without a big hassle - Al Macintyre http://www.ryze.com/go/Al9Mac Find BPCS Documentation Suppliers http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html BPCS/400 Computer Janitor

Step 3
Change the default object authority to modify the sensitive files,
and allow data modification only to those who need it.
This will not work for files like IIM!!

Shalom Carmel
www.venera.com - exposing AS/400 insecurity