× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



See below.  --Paul E Musselman
PaulMmn@ix.netcom.nospam.com


>We are currently going through all of the users on our systems and removing
>any that have not been deleted for one reason or another. Through our
>looking, we have noticed people with authority that really didn't need it
>(like *SAVRST and *ALLOBJ). We are currently reviewing what people need for
>authority.
>
>1) What have you guys done to maintain security?

We've created a number of programs that run through our production
libraries and enforce our security plan.  And we actually run it
every now and then.

>
>2) How do you create new users? Do you have a "general" user which you copy
>from? Do you start from scratch?

We have a CRTUSR command that does the basic setup:  profile, jobq,
outq, directory entry, etc.  We have additional commands that enable
us to copy application authority from one user to another (even from
a user that's been terminated).  We examined many of our applications
to learn how they create internal authority, and built our copy
applications.

We have to be careful when users change jobs-- we tend to add
authority, and never remove it.  So, if a user moves around a lot,
they tend to be authorized to everything.  We do have the capability
to remove authority for an application, so we need to remove first,
then copy from a user in the new position.

>
>3) How do you eliminate the possibility of a user using the username for a
>password and not allow 'password' for a password?

We activated some of the PWD* system values to force numeral, etc.
etc.  Plus, we change passwords every 60 days, and prevent re-use of
32 passwords, which means even a poor password can't be re-used too
often!

Once problem we have is users who 'increment' their passwords:
SAUERKRAUT1, then SAUERKRAUT2, then SAUERKRAUT3, etc.  Because of the
politics, we can't tighten the rules as much as I'd like (ie prevent
same character in same position).

The problem is that we can make the rules too complicated, so users
can't pick a new password, can't remember it, and write it down and
tape it to the side of their screen

>
>4) How often do you review the users and security?

Less often than we should!   (:

>
>5) Payroll notifies us when people quit or have moved to a new position, but
>it doesn't tell us when remote users quit or have moved on. How do you
>handle this?

Every now and then we scream at everyone and INSIST that we be told
when -anyone-, =anywhere= leaves the company.  But people 'filter'
the responses to us-- "Oh, he never had any access; we don't have to
tell about -him-."

We also have customer locations which have access; they tend to share
profiles and passwords, and we never know when someone leaves.

We occasionally print a list of all users at a location, then mail it
to the location and have someone in their HR or management review the
list and tell us who's no longer there.

We have a TRMUSR command-- this diables the profile, rips it out of
OV/400, removes authority from applications (and archives the
authority to backup files in case we need to copy it to a new user).

We do have a routine that runs weekly that changes password to *NONE
and disables profiles that haven't been used in (PWDEXPITV + 30)
days.  This is an attempt to catch the profiles for people that
aren't really here.  Of course, this doesn't help if the profile has
been shared or stolen.


>
>Any suggestions would be appreciated.
>
>Mike Wills


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.