Manage Learn to apply best practices and optimize your operations.

How much authority should programmers have?

What has been your opinion and experience in giving programmers access to production libraries to fix critical production problems? Is this acceptable, and would this pass an IT audit? Should programmers be able to invoke this application themselves to grant themselves additional authority? Would this pass a typical IT audit?

Scenario: At our company, programmers have *USE authority to production libraries. We have a procedure in place, to give additional authority to programmers when needed to fix critical problems. The programmer calls our operations department, and request temporary *ALLOBJ access. The operator will invoke an in-house application, from a menu, and record "why" the programmer needed the access, put in the programmer's user I.D. etc. (in the background, *ALLOBJ is added to the programmer's user profile, auditing is invoked, and a time limit is set on when to expire this access, etc.). Also, an audit report is generated with log of the programmer's activity; the security administrator for abuse can then review this audit log. Our application managers would like to see programmers have the capability to give themselves the *ALLOBJ access via our application and menu option, instead of having to call operations. Please refer to my earlier questions.

I believe that you want to keep your current implementation. That way you have a clear and separate path to programmers' obtaining *ALLOBJ special authority. This method I believe should pass an audit. You will have a much more difficult time getting the proposed method through an audit.


The Best Web Links: Tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Read this Search400 Featured Topic: Secure your iSeries

Dig Deeper on iSeries system and application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.