Hello Frank,

You wrote:
>Why this happened is he tried to start QSH after the V4R5 upgrade.
>For some reason it was not installed properly, but he found that
>there was a QSH in QSYSV4R4M0, hence the rest.

And you are paying this person real money?  Can I come and work for you?
I could be asleep for most of the day and still shine brighter than that
spark!  There is a serious lack of logical thought involved in the process
indicated by your paragraph.  Still, I guess he had a "learning
experience" and hopefully will think a bit more in future.

>These are the authority settings. Basically QPGMR.
>Also QPGMR on our machine has access to both
>CHGSYSLIBL and CHGSYSVAL,  I am not aware that we
>did anything special to enable this.

Someone at your company did something special -- they granted QPGMR
authority to the CHGSYSLIBL command.  It is shipped with QSYS *ALL and
*PUBLIC *EXCLUDE and that's all.  CHGSYSVAL is shipped with much more
access (QSYS, QSRV, QSYSOPR, QPGMR, and QSRVDRCTR).

As you have discovered, that command is a good way to expose your system.
There is very little reason for anyone to have authority to commands that
alter the system portion of the library list.

Which also leads on to the security issues involved in making programmers
and users part of the IBM-supplied profiles.  They simply shouldn't be
used -- exceptions are QSECOFR and QSYSOPR for actual signon, and QSRV
when an engineer is actually using it.  You really should create your own
programmer group, grant it only the authority needed by the job role
(which is NOT all that QPGMR can do regardless of how the programmers may
bleat), and assign your developers to that group.  None of the IBM
profiles should be a group profile because they generally have far more
authority than programmers, operators, and user require.

Regards,
Simon Coulter.

--------------------------------------------------------------------
   FlyByNight Software         AS/400 Technical Specialists
   http://www.flybynight.com.au/

   Phone: +61 3 9419 0175   Mobile: +61 0411 091 400        /"\
   Fax:   +61 3 9419 0175   mailto: shc@flybynight.com.au   \ /
                                                             X
                 ASCII Ribbon campaign against HTML E-Mail  / \
--------------------------------------------------------------------



As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.