×
The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.
At 11:31 AM 9/16/97 +0200, you wrote:
>Hi!
>
>How do other sites restrict their programming staff? Do you allow them
>*JOBCTL or (shock horror) *ALLOBJ authority? Do they have access to live
>programs and data or is there some form of change control? etc...
>
>All comments welcome,
Tim
Would you believe this company got away with *ALLOBJ for programmers for over a decade? And nobody questioned it? And were we surprised to find that some normal **users** had *ALLOBJ. (I've been here just a year and a half or so :-)) We got an audit that said we had to change this--duh! We based our strategy on a book from IBM called Tips and Tools for Securing Your AS/400. It comes with v3r7 or later, I think, and is available free for other releases. It's part of security tools and PTF's that we should all have (GO SECTOOLS, GO SECBATCH will get you to the various functions, if you have it installed). The model we've followed is a combination of menu-level control and appropriate use of adopted authority and the USRPRF attribute of programs.
In addition, we've been using a change control system (ALDON) form awhile, and that controls distibution of applications, as well as access to objects on our development machine. On production machines, programmers (for normal activities) have basically no access to anything, except what can be done through our user menu system, and that's probably not even adequate, because we still may be able to modify live data--don't remember where that sits. We've looked at limiting programmers to inquiry only.
The ruling premise for us is, allow enough access to perform the job you need to do. This is a continual negotiation process, but procedures need to be established, IMO, that state how and under what circumstances extensions to a person's authority shall be granted.
As an example, we have a function that can grant the authority from a secure profile, to an ordinary user or developer. (I think it's from News/400.) It uses various security API's to do this. As part of the process, we turn on security auditing for that user. Only a limited number of people can grant this privilege (help desk, in our case), and they log when it's done.
Cheers
Vernon Hamberg
Systems Software Programmer
Old Republic National Title Insurance Company
400 Second Avenue South
Minneapolis, MN 55401
(612) 371-1111 x480 +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to "MIDRANGE-L@midrange.com". | To unsubscribe from this list send email to MAJORDOMO@midrange.com | and specify 'unsubscribe MIDRANGE-L' in the body of your message. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
