Re: Why do software companies always want ALLOBJ

[booth@xxxxxxxxxxxx]

Great idea.  I'd buy that CD for $100.  Sounds like a "business 
opportunity" for somebody.

_______________________
Booth Martin
Booth@MartinVT.com
http://www.MartinVT.com
_______________________




MacWheel99@aol.com
Sent by: owner-midrange-l@midrange.com
09/14/2000 01:14 PM
Please respond to MIDRANGE-L

 
        To:     MIDRANGE-L@midrange.com
        cc: 
        Subject:        Re: Why do software companies always want ALLOBJ

One solution that I think the world of companies using AS/400 needs is

"An Introduction to AS/400 Security for General Management"

My vision of this tool would be that it would come with a menu driven view 
of 
WRKSYSVAL and other FAQ about YOUR system where someone could view 
Security 
Wizard information without changing any of it.

An executive who previously knew nothing about AS/400 security, such as a 
general outside auditor or a new hire in the MIS department, could be 
viewing 
this CD Rom which walks through some explanation of say security levels 10 
20 
30 40 50, then is asked to switch to the other session & take the menu 
option 
that tells you what level your company is presently at, then return to the 
CD 
Rom session & key in what that is, which controls the flow of information 
regarding the risks & advantages of that level & what you get if your 
enterprise moves up to next level, assuming the software that you have 
installed is able to function at the next level, explained in a 
non-technical 
manner.

This would be followed by a series of very simple questions, answerable by 

the menu, that leads into an education as to what the function is of 
various 
security features & the risks & what not, about each one.  Perhaps one 
option 
would identify a list of all the user-ids that can sign on & have 
extremely 
global access, that in AS/400 terms these people are the real bosses of 
your 
operations & data.

There might be a second CD Rom based on a major software package, such as 
JDE 
or BPCS, in which the executive is prompted to key in like a USER ID & the 

view is information only without ability to update anything software ... 
could then look at that ERP's security sub-system & combined with user 
profile information might then say all the stuff this person can access & 
whether if someone outside the company figures out the password, can they 
get 
onto your system from the internet & do the same stuff.  It would identify 

both legitimate & illegitimate activities authorized by these settings & 
ask 
in a rhetorical way, if this is the kind of security that you really want 
for 
your company.

An AS/400 with GOOD SECURITY might not let someone access such 
information, 
but such a site does not need this education. 

Another variation might be a WHITE HAT hacker simulation ... it would run 
a 
series of tests against your AS/400 conceptually similar to what we get 
for 
our PC by going to sites like 

http://grc.com/default.htm Shields Up then Test them - both tests then look 
at the great FAQ

or

http://security2.norton.com/sa/1033/sym/sym_intro.asp?j=1&bhcd2=957949319
Norton Internet Security 2000 which I think has a more comprehensive 
testing 
but not so easy to get at their FAQ

If any such software exists, I have no knowledge of it.

If this is reasonably practicable to create, I might think that it should 
be 
created as a team effort between IBM Rochester & BPs, then distributed for 

free, or at low cost, as part of a marketing effort by AS/400 security 
specialist BPs who are seeking additional customers or more consulting & 
developing opportunities.

The CD Rom session might include linked access to web sites for accessing 
a 
directory of AS/400 security consultants that serve your geographic area 
if 
the executive's newly gained understanding leads to a conclusion that our 
site needs help, or a computer audit more intrusive than this introductory 
CD 
Rom perspective.

I have several power users who can function in a help desk role.  They are 

trusted with a level of access that is considerably below that of security 

officer, but they do have some system operator type access & training so 
that 
they can view what the situation is with some user who got in trouble.

One of my power users pointed out to me what he thought was an extremely 
useful query I had created (which lists customer orders with errors in our 

pricing) that seemed to him to be under-utilized, and was asking how 
people 
are expected to find out about additions to our collection of tools (I had 

added this one while he was on vacation).  I showed him how to use WRKOBJ 
on 
any specific *QRYDFN to see when was the last time an individual query was 

actually used & how many days of usage has it had since it was created on 
our 
current box (upgrades lose some accumulated statistics).

I am tempted to put that in a CL on a menu so folks do not have to 
remember 
what all to key in to get at it ... jsut the name of the query.

Then I noodled around a bit & from DSPOBJD got an *OUTFILE of all our 
*QRYDFN 
so now we can run a query of our queries to see which are being used 
heavily 
& which are not being used at all.  Ditto for all our *PGM CL in *LIBL 
excluding IBM QSYS variety ... ie. the kind of stuff that ordinarily is on 

SOME MENU some place, but out of sight out of mind when most people only 
use 
a small handful of different menus.

My interest in this is identification of wasted disk space (I keep finding 

debris left by the developers), doing a better job of communicating what 
software is available for us to use (sort on text description within 
software 
category), get a report listing software that was added or changed 
recently 
(reference list for folks who have had a nice long vacation & should 
management ever want to know what I have been working on), and when we see 

what is underutilized vs. heavily used, we know what types of problems are 

being resolved as part of normal business operations & which are not, 
which 
relates back to the point my power user was making.

I think it would be really cool, if I could somehow link this to our ERP 
security file logic & generate a report (I think it would have to be RPG 
rather than Query) to show what CAN or cannot be run by various USER IDs 
on 
this list of all the software objects in our ERP production library list. 
Several versions of this report id.

Directory of our software that we now have, thanks to the DSPOBJD to 
*OUTFILE, with addition of count of # of users who are authorized to run 
each 
one.

Select any given user id & get report showing all the stuff that person is 

authorized to run.

Select any given program or ranges that is ERP structurally significant, 
such 
as all the "900" programs of ERP & get list of all the users who are 
authorized to run it.

When my time permits, I may pursue some of these ideas a bit further.

Al Macintyre  ©¿©
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to 
MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: 
david@midrange.com
+---




+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---