I agree with Jerry, Joe, Elvis and the others...it depends on the size of
your shop and what you are doing in your shop. If you have a bunch of
systems (partitions) or have a lot of extra procedures or DB2
connect/SQL/ODBC/etc., you should look at the idea of having a DBA.

At my last job we had Lotus Notes DBA's (???), Oracle and SQL DBA's but no
iSeries DBA's. Occasionally I would here an AS/400 PGMR call himself a DBA.

I try to stress to my non-i5 friends that this system is essentially a DB2
database with an OS wrapped around it. If you can maintain the system, you
'should' be able to the database...therefore you do not need a DBA. Please
don't throw things at me for my simple explanation, but it gets it across to
the Wintel crowd.

Now for the setting up of security:
<Vendor Pitch> If you are a shop that wants to allow access to production
data or other privileged info/commands, without granting all the authority
that comes with that (*ALLOBJ, *SECADM, *SECOFR, etc.) you can use the NetIQ
Privilege Manager tool in PSSecure. It allows you to grant access to
specific commands and objects without granting all the other authority

For example: You want BOB the PGMR to update the customer file on the PROD
system and only use UPDDTA. You can create an entitlement in Prv. Mgr. for
BOB to UPDDTA PRODLIB/CUSTOMER. He has no other access to the file and
cannot update anything else with UPDDTA. Oh and did I mention it is free to
all existing PSSecure customers?
</VENDOR Pitch>

Otherwise on security access for a 'DBA' or programmer, they should never
have access to production data unless it is an emergency and all the
necessary hoops have been jumped through. Then you have to document all of
this, remove all of their accesses and be prepared to explain to your
non-iSeries auditor why you let someone have carte-blanche access to your

On Oct 31, 2007 10:17 AM, Graap, Kenneth <keg@xxxxxxxxxxxxx> wrote:

We are in the middle of an IS Audit and the auditor is asking us why we
don't separate the duties of DB Administrator and System Administrator
on our System i platform.

.Historically we have always combined these duties on the System i but
we are now being pressured to come up with a way to separate them.

As anyone else had to do this and if so, how did you define these duties
and set up system security to enforce it?

or ... can anyone share a compelling argument for not separating these


Kenneth E. Graap
IBM Certified Specialist
iSeries Multiple System Administrator
NW Natural (Gas Services)
Phone: 503-226-4211 x5537
FAX: 503-721-2518

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].