× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. October 2008

Re: alternate solution

Where I work this is more political than technical.

Once people have had certain capabilities, pulling them means push back through management demanding we continue the capabilities certain people have grown to need in their work, not want to have to learn alternative way of doing things.

Also when we have new users, I set them up with limited access until I get assurance of their training, but it is not unusual to be told to give exact same access to brand new hire, as we have for 10 year veteran, or to have someone with extreme access, be replaced by novice who signs on using the high power access.

e.g. person X was just hired, signs on using person Y password.

So if management is not interested in security issues, computer staff hands rather tied.

I am less interested in risk from internal klutz than risk from persons able to sign on using external connections to the system. Example, someone with a laptop has access to our AS/400. That laptop also has wireless. If the security to that wireless is the least bit fflakey, then anyone outside the building who has nothing to do with our company, can use the wireless to do anything that the person with the laptop has security to do..

Now suppose that laptop is in trunk of employee car, and gets stolen.
How soon are we told that user password needs to be changed?

We are now owned by another company, whose leadership commanded that their consultant have master security access, without telling us all that consultant is to do. Seems to me the consultant has both experienced and inexperienced staff.

Again this is much more political issue than technical.

Then there are so many ways to access the 400 such as TELNET, FTP scripts.
We techies may be familiar with one bunch of ways the system can be accessed, and we do a good job of locking them down, but there are other ways we not familiar or knowlegeable with, that are probably not locked down good.

You can buy security evaluation products that will identify all the many different kinds of problems with your overall system, then use the info to improve your security, then run the evaluation again to re-prioritize what to tackle, provided you have the political support.

You can have triggers on files that prohibit certain actions, irrespective of how the files are accessed.

I have setup menus for system functions, such as message other users, work with reports, check JOBQ, who is doing what on the system. I sell some of these menus to people on the basis that you no longer have to remember the parameters to key.

I have several sets of such menus, where there is security access limitations, only certain technical people can get to menu FXS for example, which we use to fix various problems that occur, while everyone has access to menu MSG for sending messages to co-workers and reading certain message queues.

There is a menu option to get into PDM where the parameters have been pre-seeded to only see certain subsets, where the "software" is really documents ... "How Tos."

When you have an IBM command inside a CL that is executed from a menu option, you can force some parameters to be unable to be changed by the user, and make others changeable at executiion time. You pick and choose which in the CL when you set it up.

In the PC connection world, there are ways to access that are more powerful than command line, such that removing command line access in user profile, does not do that much for security. You need to study the security manuals that come with the 400, and attend some of the security classes.

One of our consultants setup for us, in a highly secure requirement, a PC that had no Windows OS, no alternative to Windows, the only thing was AS/400 access to a Menu only access privilege, and no way to get out of the Menus ... if user took F3 to exit the Menu, it took them to *SIGNOFF. We tested that pretty good & were unable to break it ... the people using that PC could only do the stuff on the Menu we provided, nothing more.

Al Macintyre

Sorry there was some thing wrong with my computer with my earlier post.We are trying to reduce the command line access to users on AS/400 and try to implement strategy like alternate Menu with all commands . Anyone who had experience workingon reducing the command line access and implementing different solution , please share with me your thoughts.Also, would it be possible at all to execute any command (like calling a program or executing AS/400 command ) if there is no command line access and Menu option.Please share your thoughts, Thank you



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.