|
Great Info! Thanks for sending this out. -----Original Message----- From: Santos, Fred [mailto:Fred.Santos@xxxxxxxxxxxxxxx] Sent: Wednesday, June 07, 2006 9:10 AM To: System 21 Users Cc: mdearmond@xxxxxxxxxxxxxxxx; bharper@xxxxxxxxxxxxxxxx Subject: Re: [SYSTEM21] Control of database updates for Sarbanes-Oxley Dan, we have completed our SOX controls here at NORTH Safety. We feel we have a very good control and verification of changes. The question you raised, we resolved by creating Group Teams to work in each of our Three environments, OY1 (live), TST (User Testing), DEV (Programmer Development testing) 1. We started by creating a dummy user OY1TEAM, one for each team. This ID is disabled. And only used for Supplemental Grouping. Display User Profile - Basic User profile . . . . . . . . . . . . . . . : OY1TEAM Previous sign-on . . . . . . . . . . . . . : Sign-on attempts not valid . . . . . . . . : 0 Status . . . . . . . . . . . . . . . . . . : *DISABLED Date password last changed . . . . . . . . : 05/28/99 Password expiration interval . . . . . . . : *SYSVAL Date password expires . . . . . . . . . : 08/26/99 Set password to expired . . . . . . . . . : *NO Local password management . . . . . . . . : *YES User class . . . . . . . . . . . . . . . . : *USER Special authority . . . . . . . . . . . . : *NONE Group profile . . . . . . . . . . . . . . : *NONE Owner . . . . . . . . . . . . . . . . . . : *USRPRF Group authority . . . . . . . . . . . . . : *NONE Group authority type . . . . . . . . . . . : *PRIVATE Supplemental groups . . . . . . . . . . . : *NONE 2. We then assigned all live users to be a part of the Supplemental group User profile . . . . . . . . . . . . . . . : FREDS Previous sign-on . . . . . . . . . . . . . : 06/06/06 14:01:02 Sign-on attempts not valid . . . . . . . . : 0 Status . . . . . . . . . . . . . . . . . . : *ENABLED Date password last changed . . . . . . . . : 03/30/06 Password expiration interval . . . . . . . : *SYSVAL Date password expires . . . . . . . . . : 06/28/06 Set password to expired . . . . . . . . . : *NO Local password management . . . . . . . . : *YES User class . . . . . . . . . . . . . . . . : *USER Special authority . . . . . . . . . . . . : *NONE Group profile . . . . . . . . . . . . . . : QPGMR Owner . . . . . . . . . . . . . . . . . . : *GRPPRF Group authority . . . . . . . . . . . . . : *NONE Group authority type . . . . . . . . . . . : *PRIVATE Supplemental groups . . . . . . . . . . . : OY1TEAM 3. We assigned Object Authority to all Physical Files in our live environment, to allow QPGMR to "*USE" the data with the Team Group "*ALL" Authority. This allows the programmers to refresh data in DEV or TST, But does not allow them to change. "Any" program that tries to perform an update to a physical file, and the user is not in the OY1TEAM, will crash. Display Object Authority Object . . . . . . . : INP35 Owner . . . . . . . : QPGMR Library . . . . . : OY1@@F3 Primary group . . . : *NONE Object type . . . . : *FILE ASP device . . . . . : *SYSBAS Object secured by authorization list . . . . . . . . . . . . : *NONE Object User Group Authority *PUBLIC *EXCLUDE *GROUP QPGMR *USE OY1TEAM *ALL 4. Finally, Use the System/21 Administrative Functions to control that none of your "LIVE" users have Command Line Authority. This will stop them from running SQL and other update jobs. XA100 Administration Functions System: NSPS204 Maintain User Profiles User Profile Process CRPC1 * User not defined to OS/400 * *Update Type changes, press Enter and then F3 to Update User level. . . . . . . . . . . 9 (1=Novice,3=Expert,8=Nov Grp,9=ExpGrp) Initial menu . . . . . . . . . AM Default sign-on company . . . . A2 Single application task . . . . Default development application Language code . . . . . . . . . Default job queue / library . . QBATCH / QGPL Default print queue / library . PRTCRPUR01 / QUSRSYS Hold on print queue . . . . . . 1 (1=Yes,0=No) Authorized to common functions 0 (1=Yes,0=No) Sign-off on leaving system. . . 1 (1=Yes,0=No) Date format (D/M/Y) . . . . . . M Allow submit job prompt . . . . 1 (1=Yes,0=No) Allow command entry . . . . . . 0 (1=Yes,0=No) Message delivery. . . . . . . . *USER (*NOTIFY,*BREAK,*HOLD,*DFT,*USER) 5. We set each of our Environments up this way. It works very well. No user can maintain "Live" data outside the System/21 Menu System. 6. You ask what happens in the event data "must" be patched in live and no S21 function exists? The Operations Staff has full control of assigning Authorities and User Profiles. They have a special user profile called "PRODUCTION". This user is normally disabled. It can be activated by special written authority, to allow corrections to data. The correction is logged with the request, and the update must be verified by the IT Manager, -----Original Message----- From: system21-bounces@xxxxxxxxxxxx [mailto:system21-bounces@xxxxxxxxxxxx] On Behalf Of DThomas@xxxxxxxxxxxxxxxx Sent: Tuesday, June 06, 2006 3:55 PM To: SYSTEM21@xxxxxxxxxxxx Cc: mdearmond@xxxxxxxxxxxxxxxx; bharper@xxxxxxxxxxxxxxxx Subject: [SYSTEM21] Control of database updates for Sarbanes-Oxley We are interested in restricting database updates outside System 21 applications. Our thoughts are to limit these changes (which should be rare) to DBU and use the DBU auditing utility. We wish to prevent use of interactive SQL (STRSQL) and DFU. I'm looking for feedback from other companies that have gone through the same issue. Also, would restricting use of STRSQL affect embedded SQL statements in System 21 RPG programs? Dan Thomas Vice President RxCrossroads 4500 Progress Blvd Louisville, KY 40218-3420 Office Direct (502) 318-1208 Cell (502) 931-3736 Fax (502) 318-1128 This information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material, the disclosure of which is governed by applicable law. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact me and destroy the materials contained in this message. _______________________________________________ This is the System 21 Users (SYSTEM21) mailing list To post a message email: SYSTEM21@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/system21 or email: SYSTEM21-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/system21. _______________________________________________ This is the System 21 Users (SYSTEM21) mailing list To post a message email: SYSTEM21@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/system21 or email: SYSTEM21-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/system21.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.