RE: Can We retire the QSECOFR userid? -- MIDRANGE-L

We had a vendor that had a program owned by QSECOFR that did do a CALL 
QCMD.  Some people really know how to pi$$ you off.

Rob Berendt
-- 
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





Vern Hamberg <vhamberg@xxxxxxxxxxxxxxxxxxxxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
02/10/2004 11:35 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc

Fax to

Subject
RE: Can We retire the QSECOFR userid?






I responded with a broader context than your question - mea culpa.

So I was thinking of a (very) few *SECOFR profiles in a shop - then you 
have an audit trail by user. Or implement a command that swaps a user or 
developer to a *SECOFR profile, authorized in a controlled fashion, and 
auditing turned on for the duration of the command execution. The commands 

does a CALL QCMD or QUSCMDLN (I suppose) and removes the extra authority 
upon exit.

Later
Vern

At 08:33 AM 2/10/2004 -0500, you wrote:
>1)  You've got a real problem if everything stayed owned by QSECOFR or
>MYSECOFR.  Especially programs.
>2)  So, if everyone is using MYSECOFR instead of everyone using QSECOFR,
>how does that help your audit trail?
>
>Rob Berendt
>--
>Group Dekko Services, LLC
>Dept 01.073
>PO Box 2000
>Dock 108
>6928N 400E
>Kendallville, IN 46755
>http://www.dekko.com
>
>
>
>
>
>Vern Hamberg <vhamberg@xxxxxxxxxxxxxxxxxxxxxxxxx>
>Sent by: midrange-l-bounces@xxxxxxxxxxxx
>02/09/2004 06:17 PM
>Please respond to
>Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
>
>
>To
>Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
>cc
>
>Fax to
>
>Subject
>RE: Can We retire the QSECOFR userid?
>
>
>
>
>
>
>I can think of a couple reasons not to use QSECOFR all the time:
>
>1. Object ownership - it might be possible to exceed the limits on number
>of objects owned
>
>2. Audit trail - using the generic IDs means you have no idea who did 
what
>
>to whom
>
>Vern
>
>At 04:49 PM 2/9/2004 -0500, you wrote:
> >Does anyone really see a difference between having the generic QSECOFR 
or
> >a generic MYSECOFR with the same authorities?  Granted, there are some
> >very limited applications where you must be QSECOFR, (ptf's ain't one 
of
> >them).  But does creating the MYSECOFR give you any additional 
security?
> >None that I can think of.  Oh, I suppose you could disable QSECOFR and
> >then a hack trying it would have a bear of a time getting in.  But, 
other
> >than that?  If so, why bother?
> >
> >Rob Berendt
>
>
>_______________________________________________
>This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
>list
>To post a message email: MIDRANGE-L@xxxxxxxxxxxx
>To subscribe, unsubscribe, or change list options,
>visit: http://lists.midrange.com/mailman/listinfo/midrange-l
>or email: MIDRANGE-L-request@xxxxxxxxxxxx
>Before posting, please take a moment to review the archives
>at http://archive.midrange.com/midrange-l.
>
>
>_______________________________________________
>This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
>To post a message email: MIDRANGE-L@xxxxxxxxxxxx
>To subscribe, unsubscribe, or change list options,
>visit: http://lists.midrange.com/mailman/listinfo/midrange-l
>or email: MIDRANGE-L-request@xxxxxxxxxxxx
>Before posting, please take a moment to review the archives
>at http://archive.midrange.com/midrange-l.


_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.