Also, high availability tools like MIMIX can replicate user profiles as they're created, changed, and deleted. Certainly overkill for just that purpose, but if you're going to do HA for BCDR or other reasons the ability is there.
Since we implemented MIMIX we've been able to really change the way we operate. Daily library/IFS backups are done on the replica (HA target) with only journal receivers being backed up daily on the production LPARs. Reporting via Crystal Enterprise happens against the replica. Production only goes down for a monthly full system save (our only downtime any given month) and is up 24x7 the rest of the time.
--
John A. Jones, CISSP
Sr. Analyst, Global Information Security
Jones Lang LaSalle, Inc.
Voice: +1.630-455.2787
FAX: +1.312.601.1782
Email: john.jones@xxxxxxxxxx
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Monday, December 08, 2008 10:46 AM
To: Midrange Systems Technical Discussion
Subject: Re: Security on multiple LPARs.
Each person is separate, on each machine.
Kerberos and EIM help. But even in that environment a user on LPAR1 still
may not exist on LPAR2. Those items just help keep the "passwords" in
sync.
Good, bad, or indifferent, a common technique in the i world is that one
developer may have *ALLOBJ on the development lpar and more restrictive
authority in the production lpar.
Also, when consolidating machines on to lpars there are strange situations
where FRED on LPAR1 may be Fred Jones and FRED on LPAR2 may be Fred Smith.
Some cleanup work may be involved. (Think mergers and acquisitions.)
There are security exit points where you can add bolt on's to do what you
desire. I wrote simple ones to sync passwords, but not other user
properties.
Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From:
"McKown, John" <John.Mckown@xxxxxxxxxxxxxxxxx>
To:
"Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Date:
12/08/2008 11:03 AM
Subject:
Security on multiple LPARs.
Sent by:
midrange-l-bounces@xxxxxxxxxxxx
This is sort of an outgrowth of my question about sharing DASD. If I
have multiple LPARs (or machines), does this mean that I have separate
security environments? In particular, if I have people who need to be
able to access every LPAR, then do they have logically separate userids
and passwords? In our current environment, we share the security
dataase. So when a person updates their password on one system, that
updates the shared database and they use the same userid / password on
all LPARs. Does the i have a similar facility (I guess maybe that would
be something like Active Directory in the Windows world)? Or do they
need to remember or change their password on every LPAR?
Thanks.
John McKown
Systems Engineer IV
IT
Administrative Services Group
HealthMarkets(r)
Administrative Services Group
9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell
john.mckown@xxxxxxxxxxxxxxxxx * www.HealthMarkets.com
Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential or proprietary information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
This email is for the use of the intended recipient(s) only. If you have
received this email in error, please notify the sender immediately and then
delete it. If you are not the intended recipient, you must not keep, use,
disclose, copy or distribute this email without the author's prior
permission. We have taken precautions to minimize the risk of transmitting
software viruses, but we advise you to carry out your own virus checks on
any attachment to this message. We cannot accept liability for any loss
or damage caused by software viruses. The information contained in this
communication may be confidential and may be subject to the attorney-client
privilege. If you are the intended recipient and you do not wish to receive
similar electronic messages from us in the future then please respond to the
sender to this effect.
midrange.com
