Laurence:
If they are truly a system administrator, without adding some of the newer
security features that IBM gave us in the more recent Technology Refreshes
and/or V7R4, there is next to no way to stop them from seeing production
data. If they want to, they will. The moment they have access to a QSECOFR
type profile, that door is open and you will have a real hard time shutting
it.
DO NOT let them use QSECOFR, in either IBM i or SST. Keep that profile for
your organization. Create a new profile specifically for them that has
*ALLOBJ and *SECADM in addition to the list you provided. Do not put
*AUDIT in the list.
Create a profile in SST that has the authority you wish to give them, but
frankly to do the administrators job, they will need everything there.
Note: giving someone *JOBCTL also includes *SPLCTL so that's redundant.
No problem with it, just redundant.
Your list of special authorities below with allow them to do 90% of what
they need to do.
Who is going to manage user profiles? That list will not allow user profile
maintenance ( a good thing given your questions premise ). To maintain user
profiles you would need authority to the profile itself, and *SECADM.
--
Jim Oberholtzer
Agile Technology Architects
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Laurence Chiu
Sent: Thursday, June 25, 2020 9:25 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Recommendation for IBMi privileges for an outsourcer to support an
IBMi environment
We are about to embark on an outsourcing agreement with a supplier to
support our IBMi environment.
We would prefer that they don't have the ability to look at our production
data. The following security profiles were recommended
*IOSYSCFG, *JOBCTL, *SAVSYS, *SERVICE and *SPLCTL.
However they say they also need QSECOFR to be able install software, apply
PTF's etc. There is a view (untested) that somebody with this privilege
could run any application on the IBMi environment and view sensitive data.
Even if we had menus in front with internal application security, they could
just dump the data. We don't think they would do that but our security folks
don't like to have security holes like this.
For those organizations who are using outsourcers to manage their
environments, are there some best practices (even good practices) that you
could recommend that would ameliorate that risk? I think to install the OS
you would need QSECOFR but what other reasons would you need it?
Thanks
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
midrange.com
