× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. May 2003

Re: LODRUN

Cris >> You forgot talking about initial program. This come before initial menu 
:-)

Who the owner is is not the key issue in the security exposure aspect. The 
important thing is what authority is adopted. 

I think for object management, it is best that objects are owned by a 
vendor-specific (or even product specific) profile. 

For the security aspect, I think you should run as IBM-default'ed as possibly. 
Those vendors that adopt QSECOFR for everything (because it is convinient) 
shows a weekness in 'knowing what they do'. 

The product should clearly document the security isue of the product, giving 
the INSTALLER (not the vendor) an option genericly to change the major security 
scheme. For example to change *PUBLIC *USE for file object to whatever is the 
general security policy is.

Vern >> The most important: Document the issue. As long as you openly tell what 
you do you can be be forgiven for almost anything. Even for the real nasty 
things that you feel forced to do if you tell WHY this is needed. But remember 
to let the default security setting of the product be sensibly. 80% (???) of 
the customers don't care to read your description.

Henrik
independent consultant

> message: 3
> date: Thu, 22 May 2003 13:18:39 -0700
> from: Chris Bipes <chris.bipes@xxxxxxxxxxxxxxx>
> subject: RE: LODRUN
> 
> I prefer the vender to offer a choice.  When you order the software, specify
> whether you want QSECOFR or Vender specific profile to own the application.
> I prefer the Vender specific profile myself.  The vender should specify what
> authorities are required in the Vender specific profile and that the
> installer must first create the profile, then logon using that profile to
> perform the install.  Once installed, the profile should be giving the
> password of *NONE and initial menu of *SIGNOFF.
> 
> If the purchaser says to use QSECOFR because they do not want to create the
> prerequisite profiles, then the LODRUN should create the profiles using the
> QSECOFR profile then switch to the prerequisite profile to install the rest
> of the software.
> 
> Of course if you need full access to the system for some utility that adds
> exit points and create profiles, well the buyer should be well informed.
> 
> Just my preference,
> 
> Chris Bipes
> 
> -----Original Message-----
> From: Vern Hamberg
> 
> What would you need from a vendor in this situation? Is a section in the 
> documentation sufficient? We certainly don't have anything to hide and do 
> not want to cause any concerns to anyone. What helps a trustful (made up 
> word) relationship with a vendor?
> 
> Anyone can reply to this - I'm interested in various points of view.
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.