Recommendation for IBMi privileges for an outsourcer to support an IBMi environment -- MIDRANGE-L

× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.

Subject: Recommendation for IBMi privileges for an outsourcer to support an IBMi environment
From: Laurence Chiu <lchiu7@xxxxxxxxx>
Date: Fri, 26 Jun 2020 14:24:41 +1200
List-archive: <https://archive.midrange.com/midrange-l/>
List-help: <mailto:midrange-l-request@lists.midrange.com?subject=help>
List-id: Midrange Systems Technical Discussion <midrange-l.lists.midrange.com>
List-post: <mailto:midrange-l@lists.midrange.com>
List-subscribe: <https://lists.midrange.com/mailman/listinfo/midrange-l>, <mailto:midrange-l-request@lists.midrange.com?subject=subscribe>
List-unsubscribe: <https://lists.midrange.com/mailman/options/midrange-l>, <mailto:midrange-l-request@lists.midrange.com?subject=unsubscribe>

We are about to embark on an outsourcing agreement with a supplier to
support our IBMi environment.

We would prefer that they don't have the ability to look at our production
data. The following security profiles were recommended

*IOSYSCFG, *JOBCTL, *SAVSYS, *SERVICE and *SPLCTL.

However they say they also need QSECOFR to be able install software, apply
PTF's etc. There is a view (untested) that somebody with this privilege
could run any application on the IBMi environment and view sensitive data.
Even if we had menus in front with internal application security, they
could just dump the data. We don't think they would do that but our
security folks don't like to have security holes like this.

For those organizations who are using outsourcers to manage their
environments, are there some best practices (even good practices) that you
could recommend that would ameliorate that risk? I think to install the OS
you would need QSECOFR but what other reasons would you need it?

Thanks

As an Amazon Associate we earn from qualifying purchases.

Follow-Ups:

Re: Recommendation for IBMi privileges for an outsourcer to support an IBMi environment , CarlN
RE: Recommendation for IBMi privileges for an outsourcer to support an IBMi environment , midrangel
RE: Recommendation for IBMi privileges for an outsourcer to support an IBMi environment , Paul Nelson

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.