I agree completely, that they had better learn what those cross-reference files are about. Certainly they had better not be trying to update those files directly - or at all. Any changes to those should be done only by the low-level data management routines.

Really strange! I'd not let them loose anywhere near my box, either!

Probably they ran those scripts as someone with enough authority - *ALLOBJ or whatever. That's a very dangerous way to do things, as you know. I find it very easy to make assumptions about behavior, especially around security, when working in a software house, where developers often have lots of authority - we too easily forget what the real world is like.


On 6/6/2011 9:01 AM, Joe Pluta wrote:
On 6/6/2011 8:24 AM, Vern Hamberg wrote:
Hi Joe

I'm coming in late - and this is in regard to your original thread - you
said IBM, or WebSphere, wanted access to QADBXREF. I hope I didn't miss
something here, so please bear with me. Was this on a support call? Or
was this some application requirement? It all sounds very strange, as
Chuck and others had pointed out.
It's an IBM-written upgrade script for WebSphere Commerce.

Another question - you expressed reticence at granting "IBM" (whatever
context that comprised) *ALLOBJ - would you have allowed a service tech
that kind of access, or given them the password for QSECOFR?
I have no problem giving someone from support access to whatever they
need to perform their job, and certainly there are times when a support
analyst needs more access than one would normally grant a typical user
(albeit temporary and limited). However, I have real problem with
application software requiring *ALLOBJ or QSECOFR, even if it is IBM.
This is an upgrade, so no, there should not be a requirement for such
high levels of access.

This is interesting - I think the intent of IBM is to limit access
directly to the various QADB* PFs - to avoid all manner of dangerous
actions, whether intentional or accidental.
And that's my point exactly. If the script developers don't know enough
to use the correct files, then I most certainly don't want them running
around my system with *ALLOBJ access!


This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].