RE: Anti-virus for i5OS

[ALopez@xxxxxxxxxx]

> I can't speak for everything, but I have installed TAATOOL and AJS
> without using QSECOFR.  Also PowerTech, Domino, WebSphere, MQ Series,
> Content Manager, Cybermation ESP and many others.  I only remember one
> thing that truly required use of the QSECOFR profile, but I didn't end
> up installing that (for that reason) and it's been so long ago that I
> don't remember what it was.

I don't understand how you got CHGUSRPRF2 and CPYUSRPRF2 to work, among 
others in TAATOOL. 

With a change management system, and multiple versions of BPCS running 
(4.05CD to LX), I would be faced with the content management software 
having to match multiple, independent owners in addition to our own in 
house menu system.  By the time I've made the CMS profile a member of all 
those groups, I hardly care about QSECOFR anymore.  The keys to the 
kingdom are already given away within the software.  If a programmer wants 
to write a check to themselves within the system, I'll assume that they'll 
do it in the ERP package than monkeying with registered exit points or 
modifying IBM objects.  A lot easier to let the software do it's job and 
grant authorities/ownership based on reference objects in the libraries 
being loaded, and not necessarily any greater of a security risk 
(depending on the CMS configuration and usage). 

> When I referred to the O/S, I was referring to the base O/S, in which
> you have no choice because you have no other profiles available to use.
> LPPs are not technically O/S.

So you would want 5722XE1, iSeries Access for Windows installed under a 
profile other than QSECOFR?  The same thing for Query Manager and TCP/IP 
connectivity Utilities?  Seems way overboard to me.

> In most cases users and applications request far more authority than is
> required to do the job.  It doesn't help that we work on a secure system
> if we pay no attention to or disable the built-in security.

I certainly agree with this.