|
Dave,
Back in the early days of AS/400 and OS/400, before the internet, TCP/IP,
etc., it was fairly easy to keep AS/400 systems "isolated" from "the
outside world" -- e.g. by "physical security" -- you had to be in the same
building, with twinax connected terminals, etc. to gain access the AS/400
system.
OS/400 shipped with a default QSECURITY = 20, and some shops even used
QSECURITY = 10. With QSECURITY values below 30, the system by default
gives each new user profile created *ALLOBJ special authority, (trying to
make OS/400 more "upward compatible" from S/36 SSP.)
So, if the shop you now work for is an "AS/400" customer for many years,
it is very possible that this is why so many profiles have *ALLOBJ.
In any case, that was never a "good" idea. You should begin carefully
planning for how to remove *ALLOBJ from most user profiles.
All the best,
Mark S. Waterbury
On Monday, September 28, 2020, 10:18:59 AM EDT, Dave <dfx1@xxxxxxxxxxxxxx>
wrote:
Back to work and the first thing I did was to check for *ALLOBJ special
authority. Out of 700 profiles, only 60 DON'T have it. Is it a default
parameter on the CRTUSRPRF command maybe? Seems like a lot of VIP users to
me :-)
What a great place this is! (Midrange, I mean)
On Wed, 9 Sep 2020 at 10:39, Dave <dfx1@xxxxxxxxxxxxxx> wrote:
Many thanks to all who replied. I've been off the list for quite a whilefinish
and it's nice to see the same old names. I will probably have more
questions when I start analyzing the objects concerned, just need to
my holidays first: -)With
Mark Waterbury <mark.s.waterbury@xxxxxxxxxxxxx> schrieb am Di., 1. Sept.
2020, 19:56:
Hello, Dave,
What version of the IBM i OS is in use? Newer versions offer more and
even better protection choices.
IBM i 7.1 and above, provides the ability to use Db2i "FieldProcs" to
secure individual columns in your chosen database tables (files),
encrypting and decrypting the values as needed. This can also be done
"conditionally," based on user or group profile, etc.
IBM i 7.2 and above provides Db2i "Row and Column Access Controls."
orRCAC, you could even prevent users with *ALLOBJ authority from viewing
datachanging data within certain tables (files).
I hope this helps somewhat.
All the best,
Mark S. Waterbury
On Tuesday, September 1, 2020, 10:49:17 AM EDT, Dave <
dfx1@xxxxxxxxxxxxxx> wrote:
Hi,
I've been given the task of rendering a few files containing banking
Nothing"secure". I don't know much about this subject at all, but I've the
feeling
that might be more than most in this company!
The requirement is that the files involved become the property of the
owner
of the program that performs the updates and writes to the files.
SQLis mentioned about mere consulting of banking data. Modifications via
fraud.and DFU are to be prohibited. Only certain users will be able to use the
program that can modify the files.
I think I'm capable of putting that all into place without help, but I'm
sure there are many loopholes in this proposed solution to prevent
relatedI'm wondering what a good strategy would be and how to implement it.
Any advice would be much appreciated.
Dave
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
relatedquestions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
--questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
