QUESTION POSED ON: 23 May 2002
What has been your opinion and experience in giving programmers access to production libraries to fix critical production problems? Is this acceptable, and would this pass an IT audit? Should programmers be able to invoke this application themselves to grant themselves additional authority? Would this pass a typical IT audit?
Scenario: At our company, programmers have *USE authority to production libraries. We have a procedure in place, to give additional authority to programmers when needed to fix critical problems. The programmer calls our operations department, and request temporary *ALLOBJ access. The operator will invoke an in-house application, from a menu, and record "why" the programmer needed the access, put in the programmer's user I.D. etc. (in the background, *ALLOBJ is added to the programmer's user profile, auditing is invoked, and a time limit is set on when to expire this access, etc.). Also, an audit report is generated with log of the programmer's activity; the security administrator for abuse can then review this audit log. Our application managers would like to see programmers have the capability to give themselves the *ALLOBJ access via our application and
menu option, instead of having to call operations. Please refer to my earlier questions.
|
