|
John Earl wrote: > > At 08:02 PM 4/24/97 -0700, you wrote: > >DAsmussen@aol.com wrote: > >> > >> Hey Folks, > ><snip>> > >> In a message dated 97-04-23 16:50:35 EDT, robert.lilley@smtpgwy.springs.com > >> (Robert Lilley) writes: > >> > >> > Looking for opinions on how developers/programmers at other shops > >> > obtain emergency security access to AS/400 objects that they > >> otherwise > >> > do not have access to (assuming you're not one of those shops that > >> > gives little thought to security). > >> > > >> > On our mainframe, we have a pool of "firecall" IDs that have > >> > more-than-usual access, essentially the equivalent of *ALLOBJ. >These > >> > >> > IDs stay in a suspended (e.g. *DISABLED) status and must be checked > >> > out for temporary use (typically they are enabled only for one day >at > >> > > >Consider "FireCall" Group Profiles. These can be added to the persons > >normal profile (Add as a supplementary group Profile). This way any > >logging is directly associated with that profile. Also, the job will > >have the same operational attributes since they are using their normal > >profile. > > > > Adding the "FireCall" profiles as supplemental groups would mean that these > programmers would have *ALLOBJ-like authority day in and day out. That's a > bit more authority than developers ought to operate with on a daily basis, >IMHO. > > jte > > ************************************************* > * John Earl Gig Harbor, Washington U.S. * > * Email: johnearl@blarg.net * > ************************************************* John, I agree wholehertedly. I didn't explain that very well. The programmer "checks out" the FireCall group profile. At that time, a job is scheduled to remove the authority from their profile after 24 hours. (I also created a command so the programmer can remove the FireCall authority sooner.) when the authority is attaced, Security is notified of the fact, and when the Firecall Authority will expire. We are looking at allowing certain specified programmers to invoke the authority themselves. (Since proper mpeople in security are notified). Additionally, when the user has the FireCall group, certain monitoring occurs to provide audit and usage information. I could tell you more, but then I would have to kill you. ;) -- Bob Larkin Larkin Computer Consulting blarkin@wt.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * This is the Midrange System Mailing List! To submit a new message, * * send your mail to "MIDRANGE-L@midrange.com". To unsubscribe from * * this list send email to MAJORDOMO@midrange.com and specify * * 'unsubscribe MIDRANGE-L' in the body of your message. Questions * * should be directed to the list owner / operator: david@midrange.com * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.