× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. October 2014

Re: Delete powerful profile that owns everything

Tick Tick Tick, yes this is a big problem.

As the thread started this is a discussion and it's known that the current setup is NOT best practice...... but all too common.

Adopted authority is indeed useful and a valid technique the limits authority to when it's needed. But the profile being adopted should have no rights to sign on thus limiting from being used for FTP, ODBC, file sharing etc.

- Larry "DrFranken" Bolhuis

www.frankeni.com
www.iDevCloud.com
www.iInTheCloud.com

On 10/20/2014 11:05 AM, John R. Smith, Jr. wrote:

You also should make sure programs are not adopting her authority because
moving them to another profile with different authorities will break things.

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Chris
Bipes
Sent: Monday, October 20, 2014 10:37 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Delete powerful profile that owns everything

Don't know about best practice but we try to create an owner for each
application. We make QSECOFR the owner for all user profiles. (Probably
not the best practice.) The IFS gets to be a real pain.

I would create a service account for the sys admin and change owner to it as
a temporary stop gap until you can formalize a plan that satisfies you and
the auditors and then start changing ownership of the service account owned
objects. (Service accounts should not have a password and initial program
be signoff.)

Chris Bipes
Director of Information Services
CrossCheck, Inc.

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jim
Franz
Sent: Monday, October 20, 2014 7:30 AM
To: Midrange Systems Technical Discussion
Subject: Delete powerful profile that owns everything

This is more of a discussion than a question.
Auditors are requiring we remove profiles for former employees, and we
recently lost our Sys Admin of ten years... and she owned "almost"
everything.
I already knew it was not a healthy setup, but the question is what form to
change to.
The removal of the profile has the option to reassign the ownership.
There are several package apps and inhouse apps.
The "Q" profiles do not own stuff except where the IBM product has a profile
(like IBM Content Manager). Most of the products do have a profile.
We can create a profile to install/upgrade and own.
Also finding her profile in products using ftp..
Best practice?

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.