I don't understand how you got CHGUSRPRF2 and CPYUSRPRF2 to work,
among others in TAATOOL.
I did not use those commands so I am not familiar with the authority
they require.
The TAATOOL documentation for these commands is here:
http://taatool.com/document/C_usrprf.htm
It would appear that these commands exist to allow an "Assistant
Security Officer" to work with user profiles. They specifically exclude
powerful profiles with special authorities. Most likely the commands
adopt *SECADM authority and require specific authority to the USRPRF.
So you would want 5722XE1, iSeries Access for Windows installed under
a profile other than QSECOFR? The same thing for Query Manager and
TCP/IP connectivity Utilities? Seems way overboard to me.
Absolutely, I don't know that any of these specifically require use of
the QSECOFR profile. RSTLICPGM only requires *SECADM and *ALLOBJ
authority.
In the past some software vendors would require the use of the QSECOFR
profile for installation, then immediately copy it to the profile that
owns all their objects. Then their helpdesk could have QSECOFR access
without having to ask you for it. Once you give up the control they can
do anything they want, like using a profile of ABC123 with a password of
ABC123.
Regards,
Scott Ingvaldson
Senior IBM Support Specialist
Fiserv Midwest
-----Original Message-----
From: ALopez@xxxxxxxxxx [mailto:ALopez@xxxxxxxxxx]
Sent: Tuesday, April 01, 2008 3:32 PM
To: midrange-l@xxxxxxxxxxxx
Subject: RE: Anti-virus for i5OS
I can't speak for everything, but I have installed TAATOOL and AJS
without using QSECOFR. Also PowerTech, Domino, WebSphere, MQ Series,
Content Manager, Cybermation ESP and many others. I only remember one
thing that truly required use of the QSECOFR profile, but I didn't end
up installing that (for that reason) and it's been so long ago that I
don't remember what it was.
I don't understand how you got CHGUSRPRF2 and CPYUSRPRF2 to work, among
others in TAATOOL.
With a change management system, and multiple versions of BPCS running
(4.05CD to LX), I would be faced with the content management software
having to match multiple, independent owners in addition to our own in
house menu system. By the time I've made the CMS profile a member of
all those groups, I hardly care about QSECOFR anymore. The keys to the
kingdom are already given away within the software. If a programmer
wants to write a check to themselves within the system, I'll assume that
they'll do it in the ERP package than monkeying with registered exit
points or modifying IBM objects. A lot easier to let the software do
it's job and grant authorities/ownership based on reference objects in
the libraries being loaded, and not necessarily any greater of a
security risk (depending on the CMS configuration and usage).
When I referred to the O/S, I was referring to the base O/S, in which
you have no choice because you have no other profiles available to
use.
LPPs are not technically O/S.
So you would want 5722XE1, iSeries Access for Windows installed under a
profile other than QSECOFR? The same thing for Query Manager and TCP/IP
connectivity Utilities? Seems way overboard to me.
In most cases users and applications request far more authority than
is required to do the job. It doesn't help that we work on a secure
system if we pay no attention to or disable the built-in security.
I certainly agree with this.
midrange.com
