Re: Recommendation for IBMi privileges for an outsourcer to support an IBMi environment

I believe the what you are being told is true. They will need QSECOFR to
manage the system.

That being said, when selecting a "partner", yes you are selecting a
partner, choose wisely, because you are giving them the keys to the
kingdom.
You must trust them completely. If you don't, then you are choosing the
wrong partner.
Possibly have them sign an nondisclosure agreement.





Thanks,



From: "Laurence Chiu" <lchiu7@xxxxxxxxx>
To: "Midrange Systems Technical Discussion"
<midrange-l@xxxxxxxxxxxxxxxxxx>
Date: 06/25/2020 10:24 PM
Subject: Recommendation for IBMi privileges for an outsourcer to
support an IBMi environment
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxxxxxxxx>



We are about to embark on an outsourcing agreement with a supplier to
support our IBMi environment.

We would prefer that they don't have the ability to look at our production
data. The following security profiles were recommended

*IOSYSCFG, *JOBCTL, *SAVSYS, *SERVICE and *SPLCTL.

However they say they also need QSECOFR to be able install software, apply
PTF's etc. There is a view (untested) that somebody with this privilege
could run any application on the IBMi environment and view sensitive data.
Even if we had menus in front with internal application security, they
could just dump the data. We don't think they would do that but our
security folks don't like to have security holes like this.

For those organizations who are using outsourcers to manage their
environments, are there some best practices (even good practices) that you
could recommend that would ameliorate that risk? I think to install the OS
you would need QSECOFR but what other reasons would you need it?

Thanks