Hi Simon, >>Why this happened is he tried to start QSH after the V4R5 upgrade. >>For some reason it was not installed properly, but he found that >>there was a QSH in QSYSV4R4M0, hence the rest. >And you are paying this person real money? Can I come and work for you? >I could be asleep for most of the day and still shine brighter than that >spark! There is a serious lack of logical thought involved in the process >indicated by your paragraph. We all know you are bright Simon, you can work for me any time, by the way what are your rates (perhaps I can afford them). As for 'logical thought', we can't all be Vulcans (FIAWOL). In the meantine I will work with ordinary mortals. >CHGSYSVAL is shipped with much more >access (QSYS, QSRV, QSYSOPR, QPGMR, and QSRVDRCTR). >As you have discovered, that command is a good way to expose your system. >There is very little reason for anyone to have authority to commands that >alter the system portion of the library list. 'expose?' I liked Als term better 'crater'. After discussions with others there is probably a simple work around, that is use a qualified command 'QSYS/CHGSYSVAL' to reset the SYSVAL. >Which also leads on to the security issues involved in making programmers >and users part of the IBM-supplied profiles. They simply shouldn't be >used -- exceptions are QSECOFR and QSYSOPR for actual signon, and QSRV >when an engineer is actually using it. You really should create your own >programmer group, grant it only the authority needed by the job role >(which is NOT all that QPGMR can do regardless of how the programmers may >bleat), and assign your developers to that group. None of the IBM >profiles should be a group profile because they generally have far more >authority than programmers, operators, and user require. > >Regards, >Simon Coulter. I would suggest that most AS400 shops use the QPGMR profile for programmer access. Tailoring user profiles to specific jobs seems to be a headache. I suppose some people do this, but not many. We use AS400 security to keep programmers out of production databases (program and data) but I suggest a a lot of shops do not even do that much. Is it asking too much for examples of which QPGMR authorities should be revoked. As a complete aside I was wondering what Walden was on about re. SEPT. This is the first I heard about SEPT. Seems to me that accessing system programs via SEPT completely bypass AS400 security checking. I am probably wrong. Frank Kolmann
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.