1.  Home
  2. MIDRANGE-L
  3. April 2025

Re: Free MFA for IBM i

Yes, generally one at a time is sufficient. There will always be rare
(hopefully less than once in a lifetime) exceptions like a team of
QSECOFR's restoring and fixing after a catastrophic failure.

But, earlier I discussed the possibility of doing a multishift downtime
remotely, like from each's own home. Tossing the dog tag with the totp key
on it to the next county is a chore. And, setting up an eyes only internal
website with a totp key display will probably make some auditor wail and
gnash their teeth.
Leave it hanging in front of a web cam? :-)

For example, our next downtime is scheduled for June 21. Prior to that I
will personally patch all the LPARs on two of our Power systems. They can
be done midday, thanks to replication, etc. On June 21 employee 1 will
start at 6am and start bringing down LPARs and getting their backups going,
etc. Employee 2 will come in 8 hours later and take over. If it takes
more than another 8 hours we have employee 3 on deck. This is not common.
Our longest full system save is 3:13. (yes I keep detailed records)
If these people worked from home (I'm getting some push on that) dealing
with that totp may be a concern.


On Thu, Apr 10, 2025 at 7:37 AM Patrik Schindler <poc@xxxxxxxxxx> wrote:

Hello Rob,

Am 10.04.2025 um 13:18 schrieb Rob Berendt <robertowenberendt@xxxxxxxxx>:

Generally I agree with you. And I use my profile with QSECOFR type
access for most cases. There are times though when using QSECOFR is
preferred. Like OS upgrades, PTF's, installing certain vendor packages and
all those processes where you don't want PETESEC owning a bunch of objects.

Good point!

I think it should be possible to coordinate a team that such kind of work
should be done by one person at a given time only, and that one gets
QSECOFR. I feel, installing vendor packages while PTFing is taking place
might be a bad idea in general?

:wq! PoC


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.