|
I am a programmer/analyst (or whatever the buzzword is at present). The AS/400 was brought in, and I was told to learn as much as possible, set it up, and get it going. Which I did do. Then we were audited by external auditors, with the power to tell us that our present configuration is no good--------Yank it out now. and they would mean it, no matter the consequences. Needless to say security - on a 1 - 10 scale was somewhere in the negatives. We were given 1 month to clean it up. Creating User Profiles ---- not my job. That belongs to our Information Security department. Once I worked out the security and procedures, that was their responsibility. Development - that is my job. Hence the Development region. The data is mine to clobber, kill, destroy, play with to my hearts content. Once a request has been completed ( as far as I can see and/or test) the applicable objects are migrated to QA for User acceptance testing. Yes this does require Change Management procedures, and another department whose responsibility it is to do the migration.This is something else that I created. This department (3 people actually) signs on, chooses the option from a menu to begin migration, enters a library name they are migrating from, choose the names of the objects that they are migrating, fills in the name of the libraries that they are migrating to, once they have finished, they choose the option to sign off, this then sets the ball rolling for the system to calculate what libraries have been migrated to so that the correct security can be applied to the objects in the new library, the object ownership is also changed so tha tI am no longer the owner, reports are generated showing what that person doing the migration did, and what subsequent actions were performed. Reports printed, and migration-user signed off. The external auditors came back, saw the changes we had implemented and rectified their findings from remove the system now , to a 10. Needless to say I received one ATTABOY, Once in QA it is the users responsibility to test the kazoo out of what is new. Any problems, I rectify it in TEST and migrate the changes into QA for re-testing. Once accepted, the users sign off, and everything is migrated to the PRODUCTION system. Are there times when a production problem occurs and a fix is required immediately? Of course, we are all human. At that time I request (in writing - keep those auditors happy) that a special User Profile be made available from the Information Security department. The password is given to me, I use the special profile to rectify the situation, within 24 hours the password to that special User Profile is changed by Information Security, so that I am unable to use it. There are other things that are used for security purposes, but I think (hope) that I have expressed myself succinctly enough in that security is extremely important and to try and circumvent this for one reason or another should be NO consideration. Granted, what I have expressed above may NOT be feasible for small business's, but then the opening for security breaches is just that larger. My apologies to everyone for my standing on my soapbox, but this topic is near and dear to my heart. >>> Henrik Krebs <hkrebs@hkrebs.dk> 09/14 11:14 AM >>> Alan: In the theorie you are right. But did you notice my findings when I want e.g. to create a user profile? The customer often do not care what I do - beeing buzy with 'their own' problems. To limit *ALL to testenvironment only, requires a good Change Management System which even-so-good can be fooled anyway, intentionally or accidently. It also requires much much more than "Infrequent Use Of" the customers resources (man power) for testing and 'putting into production'. There is nothing that would like more than getting a 100% guarantie from the customer, that any system failure (production) was the responsability of the customer. Because a limitation of the access to Production has no meaning if you just accept my "It works - do this and that in the production environment" without any considerations. Can we set up a contract working for your company: a) I make the changes in test, b) You give me all the resources I need to test and implement and c) If the testing and implementation steps are incomplete or incorrect, then don't blame me? No, you will not do this. What other options? A pseudo-secure procedure where you just do as you are told - restores objects, runs fix-programs etc in the restricted production environment, or base it to some extent in trust without hiding any security exposure. Any programmer in any IT department is a security risk (as is any user though they're smaller risks). Believe me: I'm good. I even try to be better than you (in my specific area). But I (as you) make mistakes - I did one seven years ago :-) PS: I've never asked for *ALLOBJ. But I've often got it when asking for *SOMEOBJ Henrik alan shore wrote: > > I completely disagree - as would many if not all internal and external auditors to ANY company. With ALLOBJ authority, to objects in the application you can really create havoc. > Anything that is in a DEVELOPMENT environment (ONLY), you should have complete access to, that I agree with. > Anything that is in a PRODUCTION, - or - a User Acceptance QA environment, you should have USE authority only. > > >>> "Henrik Krebs" 09/13 2:49 PM >>> > Here is what I as an IT consultant need to work effectively. The same thing probably > apply to software companies I guess.> > o All-authority to objects in the application (Directly or via GRPPRF). > o A good cooperation with a person at the > customer for (rather infrequent use of) *ALLOBJ and *SECADM - creating > userprofiles, fixing the "oops - Object changed owner when restored" (we > all make mistakes sometime) etc. > o An answer Yes/No to the question "Want a joblog for each job/session?"). > Personally I've only met 'No', even when the infrequent use of *ALLOBJ > was managed with the loan of QSECOFR.> > The sentence "We refused to give them *ALLOBJ rights, period." or "after a specified > time, it cancels the dial in job," really sounds like a lack of 'good cooperation' and > more like "Do your bloody job and don't bother us". If I - in that situation - should do > the bloody job, I should also need *ALLOBJ!> > Henrik> http://hkrebs.dk --------------------------------------------------------- This mail was sent through Eoffice: http://www.eoffice.dk +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +--- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.