RE: Sox issues with programmer having *jobctl to review productionissues

Sorry but even the most simple audits now find that trick.

It's better for SOX and everybody involved to simply document an exception
to the normal rules and provide a verifiable method of granting significant
access to the system for abnormal situations.

--
Jim Oberholtzer
Agile Technology Architects


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Paul
Nelson
Sent: Thursday, October 13, 2016 9:23 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Sox issues with programmer having *jobctl to review
productionissues

Here's a trick I learned way back in the S/38 days:

Write a program called QSE (as in systems engineer) with CALL QCMD as the
only real statement.

Compile that program using the QSECOFR profile and allow it to adopt QSECOFR
authority.

Joe Developer calls that program, and he can do whatever he needs to do.

Because of the name, the kids from the auditing firm will assume the program
belongs to IBM, and won't think twice about it.

Paul Nelson
Cell 708-670-6978
Office 409-267-4027
nelsonp@xxxxxxxxxxxxx


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jim
Franz
Sent: Thursday, October 13, 2016 9:09 AM
To: Midrange Systems Technical Discussion
Subject: Re: Sox issues with programmer having *jobctl to review
productionissues

I don't like generic accounts, we have about 7 of us that rotate the on call
schedule, and only 3 senior people have the *jobctl. Why they picked on that
as the issue I don't know (this is KPMG). We could "log" with chgusraud...
I think I need a better definition of why it's a problem.
Jim

On Thu, Oct 13, 2016 at 9:57 AM, Rob Berendt <rob@xxxxxxxxx> wrote:

You'll hear of shops that allow QSECOFR for analyzing emergency problems.
However, the only times the developers have needed that was to install
new versions of certain packages and never for an emergency middle of
the night fix. But we've only been on this platform for 25+ years.

I'm thinking that holding them from being able to see joblogs is a bit
extreme.
I have a tough enough time with the developers often not being able to
use the graphical debugger because that requires certain levels of access.

I suppose something with adopted authority wrapped around DSPJOBLOG
would work. Not sure if the whole WRKACTJOB is necessary. Maybe if
it also self logged usages of itself.

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Jim Franz <franz9000@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 10/13/2016 09:44 AM
Subject: Sox issues with programmer having *jobctl to review
production issues
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Looking for how other companies handle "programmer on call" where a
halt has occurred in Production, and we are now being told we cannot
have *jobctl to view job log of the issue to determine how best to handle.
Would a wrkactjob with adopted authority be acceptable?
How are others handling this?
We have some old code and every couple months a programmer called in
the middle of the night for a batch error...
Jim Franz
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.