× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Make sure there are no other land mines he could exploit. I once had a
program named QSE that adopted the QSECOFR authority. No matter how my user
profile was set to placate the auditors, all I had to do was type CALL QSE,
and I could do whatever I needed to do.

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob
Berendt
Sent: Tuesday, January 14, 2020 8:30 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: Security question

I like the idea of deleting/recreating. This should clear him out of any
individual authorities, group memberships, authorization lists, etc.

If, however, you do not secure your data, or give him special authority, and
your sole method of security is limiting command line or using exit points,
then you've pretty much given him the keys to the kingdom.

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com


-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Steve
McKay
Sent: Tuesday, January 14, 2020 11:18 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Security question

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.


Bill -

User class on the user profile has little impact on security. It controls
options displayed on IBM menus and initially populates special authorities
when the user profile is created.

It is more important to look at special authorities, group membership (as
defined in the user profile), and any authority list that the user is
assigned to.

I would consider deleting the user profile and creating a new one from
scratch. Chances are good that, over time in IT, he/she has accumulated
authority to things that you may not be aware of. He/she is no longer an
IT person and probably has no reason to have that level of authority. If
you have a group profile or authority list that provides default access for
"ordinary users", put the user in that one. If the user owns a personal
library and it's contents, he/she can totally control anything in that
library.

Thanks,

Steve McKay
(205) 585-8424
samckay1@xxxxxxxxx



On Tue, Jan 14, 2020 at 11:06 AM Howie, Bill <BHowie@xxxxxxxxxxxxxxxx>
wrote:

Hello all,

We have a rather unique security situation on our system. We have someone
who is in senior management now who used to be in the IT department. His
access to the system remains pretty high, basically what it was when he
was
in the IT group. We are starting to pare that down. We basically would
like to create almost a "silo" setup for him, where he can do stuff in his
own library but not put anything into production without our knowledge.
Right now he has a *PGMR user class and limit capabilities is set to "NO".
The issue in my mind is that even if we set up a "silo" for him
(basically, I think, just his own library) and don't change any of the
other things, like limiting his capabilities, then we won't really be able
to restrict him at all. Conversely, if we do limit his capabilities on
his
user profile, then he wouldn't be able to do certain things even within
his
own library.

Anyone else have this kind of situation before? What are everyone's
thoughts on ways to handle this? All input is, as always, appreciated.

Bill Howie | Senior ERP Programmer/Analyst Consultant
The HC Companies | 2450 Edison Blvd, Suite 3, Twinsburg OH 44087
Direct: 330.487.3739 | Cell: 330.495.5627 | Toll Free: 800.225.7712

The HC Companies, Inc.<http://www.hc-companies.com/> - North America's
Leading Provider of Containers for Horticulture
Dillen | ITML | ProCal | Kord | Amerikan | Planters' Pride
From Grower to Gardener, Improving Our World
[Related image]<https://www.linkedin.com/company/the-hc-companies>
[Related image] <https://www.facebook.com/HCCompanies/>

Disclaimer

The information contained in this communication from the sender is
confidential. It is intended solely for use by the recipient and others
authorized to receive it. If you are not the recipient, you are hereby
notified that any disclosure, copying, distribution or taking action in
relation of the contents of this information is strictly prohibited and
may
be unlawful.

This email has been scanned for viruses and malware, and may have been
automatically archived by Mimecast Ltd, an innovator in Software as a
Service (SaaS) for business. Providing a safer and more useful place for
your human generated data. Specializing in; Security, archiving and
compliance. To find out more visit the Mimecast website.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.