|
Hello Frank, You wrote: >Why this happened is he tried to start QSH after the V4R5 upgrade. >For some reason it was not installed properly, but he found that >there was a QSH in QSYSV4R4M0, hence the rest. And you are paying this person real money? Can I come and work for you? I could be asleep for most of the day and still shine brighter than that spark! There is a serious lack of logical thought involved in the process indicated by your paragraph. Still, I guess he had a "learning experience" and hopefully will think a bit more in future. >These are the authority settings. Basically QPGMR. >Also QPGMR on our machine has access to both >CHGSYSLIBL and CHGSYSVAL, I am not aware that we >did anything special to enable this. Someone at your company did something special -- they granted QPGMR authority to the CHGSYSLIBL command. It is shipped with QSYS *ALL and *PUBLIC *EXCLUDE and that's all. CHGSYSVAL is shipped with much more access (QSYS, QSRV, QSYSOPR, QPGMR, and QSRVDRCTR). As you have discovered, that command is a good way to expose your system. There is very little reason for anyone to have authority to commands that alter the system portion of the library list. Which also leads on to the security issues involved in making programmers and users part of the IBM-supplied profiles. They simply shouldn't be used -- exceptions are QSECOFR and QSYSOPR for actual signon, and QSRV when an engineer is actually using it. You really should create your own programmer group, grant it only the authority needed by the job role (which is NOT all that QPGMR can do regardless of how the programmers may bleat), and assign your developers to that group. None of the IBM profiles should be a group profile because they generally have far more authority than programmers, operators, and user require. Regards, Simon Coulter. -------------------------------------------------------------------- FlyByNight Software AS/400 Technical Specialists http://www.flybynight.com.au/ Phone: +61 3 9419 0175 Mobile: +61 0411 091 400 /"\ Fax: +61 3 9419 0175 mailto: shc@flybynight.com.au \ / X ASCII Ribbon campaign against HTML E-Mail / \ --------------------------------------------------------------------
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.