Denise,

  Feel free to give me a call or email... One of the first things I did when
I got here was audit security on the systems. SG/Ecometry left the system
wide open, with lots of capabilities granted and files released because they
obviously didn't understand how the OS works.

  In short, if setup properly, users DON'T need OP.. which does allow global
access to spoolfiles (and BACKUPS! Among other things). The first week I was
here a user playing around accidentally fired off a full-system backup in
the middle of the day.. knocking everyone off the system. It didn't help
that for some reason "BACKUP" was a selection on some user's menus...

  We went a bit overboard in securing the system; and even brought in a
separate box just for printing, where users get a dedicated menu when they
log on that gives them control of THEIR reports for printing/deleting/etc,
along with a web interface (using Apache/iX) to allow control of printing
reports from their desktops. It does work well, but some of the principles
could be accomplished on a single box.

  All MACS users really need (cap wise) is IA (BA if they'll stream jobs
under their OWN IDs, which MACS doesn't usually do). Since pretty much all
reports are generated in batch jobs, ND isn't usually needed, except for
users that might have access to Suprtool/query to do ad-hoc reports. Ditto
SF capability.

  OP is SG's lazy way of allowing printer control.. but ends up granting way
too much control. A better approach is selectively using ALLOW commands to
specific users and ASSOCIATE permission for printers in their areas, and
providing a printer-control menu (that both makes the task easier and keeps
people from tinkering where they shouldn't).

  One problem we encountered with the way MACS works is that all jobs log on
under the id JOBS.<account>... which makes managing them a little tougher...
since they don't "belong" to the userid that streamed the job. We remedied
this using Espul (from RAC) to rename reports as they get created, changing
their creator to the me user id of the user that streamed the job and the
device to a device corresponding to their department or area. This lets
users see "their" reports more easily, and allowed us to give them control
over "their" reports and their specific printers (allow the user to
ASSOCIATE the printer(s) in their area, giving them control over
starting/stopping/etc that printer but no one else's).

  -Chris Bartram
   United States Mint

                -----Original Message-----
                From:   Denise Mitchell [mailto:[log in to unmask]]
                Sent:   Tuesday, July 24, 2001 12:09 PM
                To:     [log in to unmask]
                Subject:        [HP3000-L] Security and Ecometry Users

                Can anyone tell me what capabilities (OP, ND, SF,etc) are
required for users
                of the MACS system or point me where to look?  I notice that
all users seem
                to have the OP cap (could possibly delete all spoolfiles
(I've done it,
                inadvertently), PM and others.   We'll be evaluating our
security and I'd
                like to know exactly what's required of the users.

                Thanks for your help.

                denise mitchell
                ab&c group
                [log in to unmask]

                * To join/leave the list, search archives, change list
settings, *
                * etc., please visit
http://raven.utc.edu/archives/hp3000-l.html *

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *