Discussion:
Delete powerful profile that owns everything
(too old to reply)
Jim Franz
2014-10-20 14:29:31 UTC
Permalink
Raw Message
This is more of a discussion than a question.
Auditors are requiring we remove profiles for former employees, and we
recently lost our Sys Admin of ten years... and she owned "almost"
everything.
I already knew it was not a healthy setup, but the question is what form to
change to.
The removal of the profile has the option to reassign the ownership.
There are several package apps and inhouse apps.
The "Q" profiles do not own stuff except where the IBM product has a
profile (like IBM Content Manager). Most of the products do have a
profile.
We can create a profile to install/upgrade and own.
Also finding her profile in products using ftp..
Best practice?
Jim Franz
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Chris Bipes
2014-10-20 14:37:02 UTC
Permalink
Raw Message
Don't know about best practice but we try to create an owner for each application. We make QSECOFR the owner for all user profiles. (Probably not the best practice.) The IFS gets to be a real pain.

I would create a service account for the sys admin and change owner to it as a temporary stop gap until you can formalize a plan that satisfies you and the auditors and then start changing ownership of the service account owned objects. (Service accounts should not have a password and initial program be signoff.)

Chris Bipes
Director of Information Services
CrossCheck, Inc.

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org] On Behalf Of Jim Franz
Sent: Monday, October 20, 2014 7:30 AM
To: Midrange Systems Technical Discussion
Subject: Delete powerful profile that owns everything

This is more of a discussion than a question.
Auditors are requiring we remove profiles for former employees, and we
recently lost our Sys Admin of ten years... and she owned "almost"
everything.
I already knew it was not a healthy setup, but the question is what form to
change to.
The removal of the profile has the option to reassign the ownership.
There are several package apps and inhouse apps.
The "Q" profiles do not own stuff except where the IBM product has a
profile (like IBM Content Manager). Most of the products do have a
profile.
We can create a profile to install/upgrade and own.
Also finding her profile in products using ftp..
Best practice?
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
John R. Smith, Jr.
2014-10-20 15:05:15 UTC
Permalink
Raw Message
You also should make sure programs are not adopting her authority because
moving them to another profile with different authorities will break things.

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org] On Behalf Of Chris
Bipes
Sent: Monday, October 20, 2014 10:37 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Delete powerful profile that owns everything

Don't know about best practice but we try to create an owner for each
application. We make QSECOFR the owner for all user profiles. (Probably
not the best practice.) The IFS gets to be a real pain.

I would create a service account for the sys admin and change owner to it as
a temporary stop gap until you can formalize a plan that satisfies you and
the auditors and then start changing ownership of the service account owned
objects. (Service accounts should not have a password and initial program
be signoff.)

Chris Bipes
Director of Information Services
CrossCheck, Inc.

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org] On Behalf Of Jim
Franz
Sent: Monday, October 20, 2014 7:30 AM
To: Midrange Systems Technical Discussion
Subject: Delete powerful profile that owns everything

This is more of a discussion than a question.
Auditors are requiring we remove profiles for former employees, and we
recently lost our Sys Admin of ten years... and she owned "almost"
everything.
I already knew it was not a healthy setup, but the question is what form to
change to.
The removal of the profile has the option to reassign the ownership.
There are several package apps and inhouse apps.
The "Q" profiles do not own stuff except where the IBM product has a profile
(like IBM Content Manager). Most of the products do have a profile.
We can create a profile to install/upgrade and own.
Also finding her profile in products using ftp..
Best practice?

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
DrFranken
2014-10-20 15:16:07 UTC
Permalink
Raw Message
Tick Tick Tick, yes this is a big problem.

As the thread started this is a discussion and it's known that the
current setup is NOT best practice...... but all too common.

Adopted authority is indeed useful and a valid technique the limits
authority to when it's needed. But the profile being adopted should have
no rights to sign on thus limiting from being used for FTP, ODBC, file
sharing etc.

- Larry "DrFranken" Bolhuis

www.frankeni.com
www.iDevCloud.com
www.iInTheCloud.com
Post by John R. Smith, Jr.
You also should make sure programs are not adopting her authority because
moving them to another profile with different authorities will break things.
-----Original Message-----
Bipes
Sent: Monday, October 20, 2014 10:37 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Delete powerful profile that owns everything
Don't know about best practice but we try to create an owner for each
application. We make QSECOFR the owner for all user profiles. (Probably
not the best practice.) The IFS gets to be a real pain.
I would create a service account for the sys admin and change owner to it as
a temporary stop gap until you can formalize a plan that satisfies you and
the auditors and then start changing ownership of the service account owned
objects. (Service accounts should not have a password and initial program
be signoff.)
Chris Bipes
Director of Information Services
CrossCheck, Inc.
-----Original Message-----
Franz
Sent: Monday, October 20, 2014 7:30 AM
To: Midrange Systems Technical Discussion
Subject: Delete powerful profile that owns everything
This is more of a discussion than a question.
Auditors are requiring we remove profiles for former employees, and we
recently lost our Sys Admin of ten years... and she owned "almost"
everything.
I already knew it was not a healthy setup, but the question is what form to
change to.
The removal of the profile has the option to reassign the ownership.
There are several package apps and inhouse apps.
The "Q" profiles do not own stuff except where the IBM product has a profile
(like IBM Content Manager). Most of the products do have a profile.
We can create a profile to install/upgrade and own.
Also finding her profile in products using ftp..
Best practice?
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
moment to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Jim Franz
2014-10-20 16:15:08 UTC
Permalink
Raw Message
Is there a record in the security audit journal that would show adopting
authority to a specific profile?

btw - We are fairly tight on exit procedures and no exiting
person's profile should be still active by the time they leave the
building.
We did a reset of QSECOFR profile, HMC , etc.
It was a friendly exit.
Jim
Post by John R. Smith, Jr.
You also should make sure programs are not adopting her authority because
moving them to another profile with different authorities will break things.
-----Original Message-----
Chris
Bipes
Sent: Monday, October 20, 2014 10:37 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Delete powerful profile that owns everything
Don't know about best practice but we try to create an owner for each
application. We make QSECOFR the owner for all user profiles. (Probably
not the best practice.) The IFS gets to be a real pain.
I would create a service account for the sys admin and change owner to it as
a temporary stop gap until you can formalize a plan that satisfies you and
the auditors and then start changing ownership of the service account owned
objects. (Service accounts should not have a password and initial program
be signoff.)
Chris Bipes
Director of Information Services
CrossCheck, Inc.
-----Original Message-----
Franz
Sent: Monday, October 20, 2014 7:30 AM
To: Midrange Systems Technical Discussion
Subject: Delete powerful profile that owns everything
This is more of a discussion than a question.
Auditors are requiring we remove profiles for former employees, and we
recently lost our Sys Admin of ten years... and she owned "almost"
everything.
I already knew it was not a healthy setup, but the question is what form to
change to.
The removal of the profile has the option to reassign the ownership.
There are several package apps and inhouse apps.
The "Q" profiles do not own stuff except where the IBM product has a profile
(like IBM Content Manager). Most of the products do have a profile.
We can create a profile to install/upgrade and own.
Also finding her profile in products using ftp..
Best practice?
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
moment to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
r***@public.gmane.org
2014-10-20 16:45:19 UTC
Permalink
Raw Message
Adopting authority is easy. Just look for objects by owner that DSPPGM
shows User profile *OWNER. Now, if you're concerned whether or not the
programs have used recently that will take a little more looking into. But
not much.

Swapping profiles is different than adopting authority. A little more
work to do but adopting authority is a joke when it comes to the stream
file system (aka IFS to those who don't believe that qsys.lib is part of
the IFS).


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Jim Franz <franz9000-***@public.gmane.org>
To: Midrange Systems Technical Discussion <midrange-l-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org>
Date: 10/20/2014 12:15 PM
Subject: Re: Delete powerful profile that owns everything
Sent by: "MIDRANGE-L" <midrange-l-bounces-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org>



Is there a record in the security audit journal that would show adopting
authority to a specific profile?

btw - We are fairly tight on exit procedures and no exiting
person's profile should be still active by the time they leave the
building.
We did a reset of QSECOFR profile, HMC , etc.
It was a friendly exit.
Jim
Post by John R. Smith, Jr.
You also should make sure programs are not adopting her authority because
moving them to another profile with different authorities will break things.
-----Original Message-----
Chris
Bipes
Sent: Monday, October 20, 2014 10:37 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Delete powerful profile that owns everything
Don't know about best practice but we try to create an owner for each
application. We make QSECOFR the owner for all user profiles. (Probably
not the best practice.) The IFS gets to be a real pain.
I would create a service account for the sys admin and change owner to
it
Post by John R. Smith, Jr.
as
a temporary stop gap until you can formalize a plan that satisfies you and
the auditors and then start changing ownership of the service account owned
objects. (Service accounts should not have a password and initial program
be signoff.)
Chris Bipes
Director of Information Services
CrossCheck, Inc.
-----Original Message-----
Jim
Post by John R. Smith, Jr.
Franz
Sent: Monday, October 20, 2014 7:30 AM
To: Midrange Systems Technical Discussion
Subject: Delete powerful profile that owns everything
This is more of a discussion than a question.
Auditors are requiring we remove profiles for former employees, and we
recently lost our Sys Admin of ten years... and she owned "almost"
everything.
I already knew it was not a healthy setup, but the question is what form to
change to.
The removal of the profile has the option to reassign the ownership.
There are several package apps and inhouse apps.
The "Q" profiles do not own stuff except where the IBM product has a profile
(like IBM Content Manager). Most of the products do have a profile.
We can create a profile to install/upgrade and own.
Also finding her profile in products using ftp..
Best practice?
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
moment to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Vernon Hamberg
2014-10-20 17:17:12 UTC
Permalink
Raw Message
Good point about IFS - no adopting authority over IFS objects.

I believe one doesn't have to go whole-hog on swapping profiles - there
is a change with less impact - changing the UID or GID of the user.

There are a couple APIs for those changes, and someone will have to
confirm this - it's been too long since I looked at this.

Vern
Post by r***@public.gmane.org
Adopting authority is easy. Just look for objects by owner that DSPPGM
shows User profile *OWNER. Now, if you're concerned whether or not the
programs have used recently that will take a little more looking into. But
not much.
Swapping profiles is different than adopting authority. A little more
work to do but adopting authority is a joke when it comes to the stream
file system (aka IFS to those who don't believe that qsys.lib is part of
the IFS).
Rob Berendt
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Jim Oberholtzer
2014-10-20 17:51:04 UTC
Permalink
Raw Message
There was an earlier suggestion about simply changing the exiting owner
profile to be the new owner without the reference to the user etc. (Sorry I
can't remember who suggested it)

I think in the case cited here, that is by far and away the best move. At
the very least it would be my choice.

--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org] On Behalf Of
Vernon Hamberg
Sent: Monday, October 20, 2014 12:17 PM
To: Midrange Systems Technical Discussion
Subject: Re: Delete powerful profile that owns everything

Good point about IFS - no adopting authority over IFS objects.

I believe one doesn't have to go whole-hog on swapping profiles - there is a
change with less impact - changing the UID or GID of the user.

There are a couple APIs for those changes, and someone will have to confirm
this - it's been too long since I looked at this.

Vern
Post by r***@public.gmane.org
Adopting authority is easy. Just look for objects by owner that
DSPPGM shows User profile *OWNER. Now, if you're concerned whether or
not the programs have used recently that will take a little more
looking into. But not much.
Swapping profiles is different than adopting authority. A little more
work to do but adopting authority is a joke when it comes to the
stream file system (aka IFS to those who don't believe that qsys.lib
is part of the IFS).
Rob Berendt
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Vincent Forbes
2014-10-20 19:05:59 UTC
Permalink
Raw Message
I would keep the id in place & make it the "Application" owner. Change the user profile so it can't log in. ie. initial program to signoff etc. Change the password, if it is not hard coded somewhere for FTP etc.

You can always change apps piece by piece.

If you don't have an FTP exit point set yet. Get it & use it to log FTP traffic to see if & where this id is being used.

Vincent
Post by Jim Oberholtzer
There was an earlier suggestion about simply changing the exiting owner
profile to be the new owner without the reference to the user etc. (Sorry I
can't remember who suggested it)
I think in the case cited here, that is by far and away the best move. At
the very least it would be my choice.
--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects
-----Original Message-----
Vernon Hamberg
Sent: Monday, October 20, 2014 12:17 PM
To: Midrange Systems Technical Discussion
Subject: Re: Delete powerful profile that owns everything
Good point about IFS - no adopting authority over IFS objects.
I believe one doesn't have to go whole-hog on swapping profiles - there is a
change with less impact - changing the UID or GID of the user.
There are a couple APIs for those changes, and someone will have to confirm
this - it's been too long since I looked at this.
Vern
Adopting authority is easy. Just look for objects by owner that
DSPPGM shows User profile *OWNER. Now, if you're concerned whether or
not the programs have used recently that will take a little more
looking into. But not much.
Swapping profiles is different than adopting authority. A little more
work to do but adopting authority is a joke when it comes to the
stream file system (aka IFS to those who don't believe that qsys.lib
is part of the IFS).
Rob Berendt
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
moment to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
CRPence
2014-10-21 18:15:47 UTC
Permalink
Raw Message
Post by Jim Franz
Is there a record in the security audit journal that would show
adopting authority to a specific profile? <<SNIP>>
I am unsure of the use of the audit journal to determine that. Even
if, the presumption that all required auditing information would be both
available [i.e. the information was auditing] and exist since the
creation of the program, seems quite improbable.?

Look at the Print Adopting Objects (PRTADPOBJ) command as a possible
means to obtain a report that might /show/ what is asked; there is a
User Profile (USRPRF) parameter. AFaIK the /Change Report/ presumes a
past collection is unaltered and persists as data in a file; from a
quick peek at the help text, I saw a mention of a "file QSECADPOLD in
library QUSRSYS contains information from the last time the PRTADPOBJ
command was run for a user profile.".
--
Regards, Chuck
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Raul A. Jager W.
2014-10-20 19:00:15 UTC
Permalink
Raw Message
We give the ownership to groups
Post by Chris Bipes
Don't know about best practice but we try to create an owner for each application. We make QSECOFR the owner for all user profiles. (Probably not the best practice.) The IFS gets to be a real pain.
I would create a service account for the sys admin and change owner to it as a temporary stop gap until you can formalize a plan that satisfies you and the auditors and then start changing ownership of the service account owned objects. (Service accounts should not have a password and initial program be signoff.)
Chris Bipes
Director of Information Services
CrossCheck, Inc.
-----Original Message-----
Sent: Monday, October 20, 2014 7:30 AM
To: Midrange Systems Technical Discussion
Subject: Delete powerful profile that owns everything
This is more of a discussion than a question.
Auditors are requiring we remove profiles for former employees, and we
recently lost our Sys Admin of ten years... and she owned "almost"
everything.
I already knew it was not a healthy setup, but the question is what form to
change to.
The removal of the profile has the option to reassign the ownership.
There are several package apps and inhouse apps.
The "Q" profiles do not own stuff except where the IBM product has a
profile (like IBM Content Manager). Most of the products do have a
profile.
We can create a profile to install/upgrade and own.
Also finding her profile in products using ftp..
Best practice?
-- Este e-mail fue enviado desde el Mail Server del diario ABC Color --
-- Verificado por Anti-Virus Corporativo Symantec --
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Steinmetz, Paul
2014-10-20 19:16:36 UTC
Permalink
Raw Message
We do the same, give ownership to the group.
I recently leaned in a Security class that this is a flaw.
You should create a new user simply to own objects, make that user part of the group, then change the object owner to this new user.
Public exclude.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org] On Behalf Of Raul A. Jager W.
Sent: Monday, October 20, 2014 3:00 PM
To: Midrange Systems Technical Discussion
Subject: Re: Delete powerful profile that owns everything

We give the ownership to groups
Post by Chris Bipes
Don't know about best practice but we try to create an owner for each application. We make QSECOFR the owner for all user profiles. (Probably not the best practice.) The IFS gets to be a real pain.
I would create a service account for the sys admin and change owner to
it as a temporary stop gap until you can formalize a plan that
satisfies you and the auditors and then start changing ownership of the
service account owned objects. (Service accounts should not have a
password and initial program be signoff.)
Chris Bipes
Director of Information Services
CrossCheck, Inc.
-----Original Message-----
Jim Franz
Sent: Monday, October 20, 2014 7:30 AM
To: Midrange Systems Technical Discussion
Subject: Delete powerful profile that owns everything
This is more of a discussion than a question.
Auditors are requiring we remove profiles for former employees, and we
recently lost our Sys Admin of ten years... and she owned "almost"
everything.
I already knew it was not a healthy setup, but the question is what
form to change to.
The removal of the profile has the option to reassign the ownership.
There are several package apps and inhouse apps.
The "Q" profiles do not own stuff except where the IBM product has a
profile (like IBM Content Manager). Most of the products do have a
profile.
We can create a profile to install/upgrade and own.
Also finding her profile in products using ftp..
Best practice?
-- Este e-mail fue enviado desde el Mail Server del diario ABC Color --
-- Verificado por Anti-Virus Corporativo Symantec --
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Rich Loeber
2014-10-20 15:12:57 UTC
Permalink
Raw Message
As an interim step which should satisfy the auditors if they understand
the IBM i OS, you should change the account password to *NONE, set it to
*DISABLED and initial menu to *SIGNOFF. That way, the only way the
profile can be used is by reference from an existing application. It
cannot be used to sign on from anywhere.

Rich Loeber - @richloeber
Kisco Information Systems
[1]http://www.kisco.com

--------------------------------------------------------------------------

On 10/20/2014 10:29 AM, Jim Franz wrote:

This is more of a discussion than a question.
Auditors are requiring we remove profiles for former employees, and we
recently lost our Sys Admin of ten years... and she owned "almost"
everything.
I already knew it was not a healthy setup, but the question is what form to
change to.
The removal of the profile has the option to reassign the ownership.
There are several package apps and inhouse apps.
The "Q" profiles do not own stuff except where the IBM product has a
profile (like IBM Content Manager). Most of the products do have a
profile.
We can create a profile to install/upgrade and own.
Also finding her profile in products using ftp..
Best practice?
Jim Franz

References

Visible links
1. http://www.kisco.com/
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
r***@public.gmane.org
2014-10-20 15:16:41 UTC
Permalink
Raw Message
Yeah, burying user id's and passwords into script is a real yee-haw. Our
master windows domain admin password hasn't changed since, well, before
2006. And I know that because some people who left back then might still
know it. It starts so many services.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Jim Franz <franz9000-***@public.gmane.org>
To: Midrange Systems Technical Discussion <midrange-l-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org>
Date: 10/20/2014 10:29 AM
Subject: Delete powerful profile that owns everything
Sent by: "MIDRANGE-L" <midrange-l-bounces-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org>



This is more of a discussion than a question.
Auditors are requiring we remove profiles for former employees, and we
recently lost our Sys Admin of ten years... and she owned "almost"
everything.
I already knew it was not a healthy setup, but the question is what form
to
change to.
The removal of the profile has the option to reassign the ownership.
There are several package apps and inhouse apps.
The "Q" profiles do not own stuff except where the IBM product has a
profile (like IBM Content Manager). Most of the products do have a
profile.
We can create a profile to install/upgrade and own.
Also finding her profile in products using ftp..
Best practice?
Jim Franz
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
paultherrien
2014-10-20 15:17:24 UTC
Permalink
Raw Message
If you remove the Sys Admin profile you will need to move all of the objects to
a new user.
Which user will that be? A generic user not associated with an actual human
being?
Why not just lock down the Sys Admin profile by changing the profile as to not
be allowed to signon; or just change the password.
The security issue with the Sys Admin profile seems to be that there was a user
who used it to signon and there is a fear that this user may signon again from
some where.
Are you also concerned about QSECOFR and QSYSOPR?
I would bet that the Sys Admin probably knows / knew how to signon as QSECOFR
and QSYSOPR too. But you will not be deleting these profiles.
I am just saying this in the hopes to save you anguish and headaches.
Post by Jim Franz
This is more of a discussion than a question.
Auditors are requiring we remove profiles for former employees, and we
recently lost our Sys Admin of ten years... and she owned "almost"
everything.
I already knew it was not a healthy setup, but the question is what form to
change to.
The removal of the profile has the option to reassign the ownership.
There are several package apps and inhouse apps.
The "Q" profiles do not own stuff except where the IBM product has a
profile (like IBM Content Manager). Most of the products do have a
profile.
We can create a profile to install/upgrade and own.
Also finding her profile in products using ftp..
Best practice?
Jim Franz
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Paul Therrien
Andeco Software, LLC
paultherrien-***@public.gmane.org
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request-Zwy7GipZuJhWk0Htik3J/***@public.gmane.org
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Loading...