|
>> We are going to be audited and I am assigned to clean up. Our >> operators and programmers user profiles have special authority *ALLOBJ. >> I noticed that IBM commands in QSYS authority have been changed. >> >> 1) Is it common for shops to changed IBM command authority? I >> noticed why operators can't run some commands because of this. >> >> 2) When setting up a operator or programmer profile does anyone use >> QSYSOPR as a group profile for Operators or QPGMR as a group profile for >> Programmers? >> >> When I listed all command authority QSYSOPR & QPGMR user profiles have >> private authority to some IBM commands. >> >> Thanks, >> Wanda OOOH! You've been letting your programmers play in the live files! (: We modify authority to IBM commands rarely... but we do it. But we don't change the as-shipped commands in QSYS; we have an alternate library that appears higher in the system portion of the library list. We duplicate commands we want to change into our library, and make any changes on our copy. Since we're first in the library list, our version(s) get used. Be sure to restrict authority to this alternate system library to look-but-don't-touch so miscreants can't slip a little something of their own into the library. IBM ships the systems with what it thinks is a good setup (and it is, usually). We tend to give our operators more control over things than IBM thinks we should; our operators have authority (in some areas) closer to programmer authority. Neither programmers nor operators should have *ALLOBJ authority. Operators have *SAVRST (?) authority to let them save and restore things. We use QPGMR as a group profile for programmers. We let all of our operators sign on as QSYSOPR. Regarding private authority to IBM commands: Check the IBM manuals for the as-shipped defaults. Compare your commands to the as-shipped and see what was changed. Once you know what's different from IBM's recommendations, then you can evaluate what you need to run your business. Auditors generally complain about too much authority in the wrong hands. But if you can make a convincing case they'll accept your explanations. One problem you may run into: buy-in. With all of the programmers and the operators free to do whatever they please, cracking down on security will be an uphill battle. You MUST have buy-in from the top down: President of the company, and whatever executives are in the chain of command down to you in Data Processing. Arguments will include: "Don't you trust us?" "We won't be able to work." "Everything will take longer." "We won't be able to find bugs." Each is just a reaction to the turning of the screws. Don't listen to them! (: It's not a matter of trust; it's a matter of the 'oops' factor. Programmers will need a fully capable test environment (if you don't already have one). And you'll need a change management system to control the promotion of programs and other objects to the live environment. It might be a fancy-shmancy commercial product, or a couple of home-built commands to move the source and object to the live environment. It's the -control- that counts! As we've been told at our office, don't look at an audit as something to fear. Look at it as an opportunity to show just how good you are, as the auditors try to poke holes in your security. --Paul E Musselman PaulMmn@ix.netcom.com +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.