> -----Original Message-----
> From: Bartram, Chris [SMTP:[log in to unmask]]
> Sent: Tuesday, July 24, 2001 1:15 PM
> To: 'Denise Mitchell'; [log in to unmask]
> Subject: RE: [HP3000-L] Security and Ecometry Users
>
> Denise,
>
> Feel free to give me a call or email... One of the first things I did
> when
> I got here was audit security on the systems. SG/Ecometry left the system
> wide open, with lots of capabilities granted and files released because
> they
> obviously didn't understand how the OS works.
>
> In short, if setup properly, users DON'T need OP.. which does allow
> global
> access to spoolfiles (and BACKUPS! Among other things). The first week I
> was
> here a user playing around accidentally fired off a full-system backup in
> the middle of the day.. knocking everyone off the system. It didn't help
> that for some reason "BACKUP" was a selection on some user's menus...
>
> We went a bit overboard in securing the system; and even brought in a
> separate box just for printing, where users get a dedicated menu when they
> log on that gives them control of THEIR reports for printing/deleting/etc,
> along with a web interface (using Apache/iX) to allow control of printing
> reports from their desktops. It does work well, but some of the principles
> could be accomplished on a single box.
>
> All MACS users really need (cap wise) is IA (BA if they'll stream jobs
> under their OWN IDs, which MACS doesn't usually do). Since pretty much all
> reports are generated in batch jobs, ND isn't usually needed, except for
> users that might have access to Suprtool/query to do ad-hoc reports. Ditto
> SF capability.
>
> OP is SG's lazy way of allowing printer control.. but ends up granting
> way
> too much control. A better approach is selectively using ALLOW commands to
> specific users and ASSOCIATE permission for printers in their areas, and
> providing a printer-control menu (that both makes the task easier and
> keeps
> people from tinkering where they shouldn't).
>
> One problem we encountered with the way MACS works is that all jobs log
> on
> under the id JOBS.<account>... which makes managing them a little
> tougher...
> since they don't "belong" to the userid that streamed the job. We remedied
> this using Espul (from RAC) to rename reports as they get created,
> changing
> their creator to the me user id of the user that streamed the job and the
> device to a device corresponding to their department or area. This lets
> users see "their" reports more easily, and allowed us to give them control
> over "their" reports and their specific printers (allow the user to
> ASSOCIATE the printer(s) in their area, giving them control over
> starting/stopping/etc that printer but no one else's).
>
> -Chris Bartram
> United States Mint
>
> -----Original Message-----
> From: Denise Mitchell [mailto:[log in to unmask]]
> Sent: Tuesday, July 24, 2001 12:09 PM
> To: [log in to unmask]
> Subject: [HP3000-L] Security and Ecometry Users
>
> Can anyone tell me what capabilities (OP, ND, SF,etc) are
> required for users
> of the MACS system or point me where to look? I notice that
> all users seem
> to have the OP cap (could possibly delete all spoolfiles
> (I've done it,
> inadvertently), PM and others. We'll be evaluating our
> security and I'd
> like to know exactly what's required of the users.
>
> Thanks for your help.
>
> denise mitchell
> ab&c group
> [log in to unmask]
>
> * To join/leave the list, search archives, change list
> settings, *
> * etc., please visit
> http://raven.utc.edu/archives/hp3000-l.html *
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|