× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. December 2001

IBM supplied QPGMR (was Modify SYSVAL QSYSLIBL)

Hi Simon,


>>Why this happened is he tried to start QSH after the V4R5 upgrade.
>>For some reason it was not installed properly, but he found that
>>there was a QSH in QSYSV4R4M0, hence the rest.

>And you are paying this person real money?  Can I come and work for you?
>I could be asleep for most of the day and still shine brighter than that
>spark!  There is a serious lack of logical thought involved in the process
>indicated by your paragraph.

We all know you are bright Simon, you can work for me any time, by
the way what are your rates (perhaps I can afford them).
As for 'logical thought', we can't all be Vulcans (FIAWOL).
In the meantine I will work with ordinary mortals.

>CHGSYSVAL is shipped with much more
>access (QSYS, QSRV, QSYSOPR, QPGMR, and QSRVDRCTR).
>As you have discovered, that command is a good way to expose your system.
>There is very little reason for anyone to have authority to commands that
>alter the system portion of the library list.

'expose?' I liked Als term better 'crater'.
After discussions with others there is probably a simple work around,
that is use a qualified command 'QSYS/CHGSYSVAL' to reset the SYSVAL.


>Which also leads on to the security issues involved in making programmers
>and users part of the IBM-supplied profiles.  They simply shouldn't be
>used -- exceptions are QSECOFR and QSYSOPR for actual signon, and QSRV
>when an engineer is actually using it.  You really should create your own
>programmer group, grant it only the authority needed by the job role
>(which is NOT all that QPGMR can do regardless of how the programmers may
>bleat), and assign your developers to that group.  None of the IBM
>profiles should be a group profile because they generally have far more
>authority than programmers, operators, and user require.
>
>Regards,
>Simon Coulter.

I would suggest that most AS400 shops use the QPGMR profile for programmer
access.  Tailoring user profiles to specific jobs seems to be a headache.
I suppose some people do this, but not many.
We use AS400 security to keep programmers out of production databases
(program and data) but I suggest a a lot of shops do not even do that much.
Is it asking too much for examples of which QPGMR authorities should be
revoked.

As a complete aside I was wondering what Walden was on about re. SEPT.
This is the first I heard about SEPT.
Seems to me that accessing system programs via SEPT completely bypass
AS400 security checking. I am probably wrong.


Frank Kolmann

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.