Shalom
BPCS Security was dramatically re-written going from version V4 to V6 to
address many long standing issues with prior versions.
Some of the security threats are non-obvious to many IT and management
staff, and BPCS security can be cumbersome to navigate and manage. In
general, we trust people to behave responsibly, whether ordinary users, or
IT people, but opportunities abound for various kinds of human error and
embezzlement to go unnoticed. For example, an error is made in defining an
item, we conclude from the data that it is unprofitable ... it is not
unprofitable, the data is wrong, but this is non-obvious. Lots of things
in BPCS are non-obvious, not just errors in security, it is a systemic problem.
What usually is noticed first is that many people need to access INV100 to
change lots of stuff unrelated to each other, and it is very easy for
someone to accidentally field exit thru some field managed by some other
corporate dept, and mess things up, with no one the wiser.
Solution ... clone the INV100 software creating INVI* this and that
variants where customer service updates the list price and last quote but
not much else, purchasing updates info on last vendor contract, engineers
update revision level, plant maintenance updates tooling ... each dept
getting at THEIR fields, then limit who has authority to these different areas.
UPI and other firms have supplied add-on products to help resolve this area:
* security files management made friendly
* security audit to identify weaknesses in a format that tells
management what the problems are, without providing info useful to a
hacker, such as how many passwords are easy to guess and have not been
changed in eons, or if virtual sessions are setup so that a potential
hacker can have infinite password guesses.
* data base monitoring that is BPCS field specific to sensible
interests, such as who changed the price, shipped out some stuff, then
changed the price back; or changed the GL rules, so that inventory
transactions invisible from GL, then walked off with a pile of inventory,
then changed the GL rules back again.
* conversion tool to get BPCS security from vulnerable group authority
to rules changed to more modern theories on good 400 security, and get the
whole task accomplished smoothly without a big hassle
-
Al Macintyre http://www.ryze.com/go/Al9Mac
Find BPCS Documentation Suppliers
http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html
BPCS/400 Computer Janitor
Step 3
Change the default object authority to modify the sensitive files,
and allow data modification only to those who need it.
This will not work for files like IIM!!
Shalom Carmel
www.venera.com - exposing AS/400 insecurity
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
