[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference iosg::all-in-1_v30

Title:	OLD ALL-IN-1 (tm) Support Conference
Notice:	Closed - See Note 4331.l to move to IOSG::ALL-IN-1
Moderator:	IOSG::PYE

Created:	Thu Jan 30 1992
Last Modified:	Tue Jan 23 1996
Last Successful Update:	Fri Jun 06 1997
Number of topics:	4343
Total number of notes:	18308

2494.0. "Security - NEWDIR revisited." by ZPOVC::LCLEE () Tue Mar 30 1993 14:06

    Hi,
    
    
    One of our customer is very concerned about the privilege user, eg
    ALL-IN-1 System Manager, accessing confidential mail messages via
    NEWDIR or from DCL (they use WordPerfect as default editor). I've read
    discussions on NEWDIR in old ALL-IN-1 conference. However, the customer
    is still asking for help to track and reduce the chances of users using
    NEWDIR and if possible to log all the access to the OA$SHARnnnn
    directories either via DCL or NEWDIR.
    
    If the CMD privilege is set to "N" (disable to reduce use of NEWDIR
    interactively) for ALL-IN-1 System Manager and application programmers,
    will there be any problems for the ALL-IN-1 System Manager to run all
    the housekeeping jobs? I've done a very brief testing and found that
    the EW job was unable to process the MANAGER account and other
    housekeeping jobs seemed to be o.k.
    
    
    Appreciate any info or pointer.
    
    Thanks.
    
    Regards,
    Lee

T.R Title User Personal
Name Date Lines

2494.1 Management Problem! IOSG::PYE Graham - ALL-IN-1 Sorcerer's Apprentice Tue Mar 30 1993 14:37 16

T.R	Title	User	Personal Name	Date	Lines
2494.1	Management Problem!	IOSG::PYE	Graham - ALL-IN-1 Sorcerer's Apprentice	`Tue Mar 30 1993 14:37`	16
	There used to be an ASSET that replaced NEWDIR with another version that either tracked its use or restricted its use. Or both, I can't remember. Perhaps you could look for that. However, given that the ALL-IN-1 Manager must have at least SYSPRV, they can read any filecab document on the system anyway. Taking away CMDPRV would only stop anyone who had the slightest knowledge for a few minutes (or even seconds!!) Really, the solution is not technical, but Managerial. If you can't trust the ALL-IN-1 Manager not to abuse his privileges, then give someone else the job! Remind anyone privileged that reading someone else's mail is the same as searching their desk for paper mail, and in most countries would be a serious disciplinary or firing offence. Graham

    There used to be an ASSET that replaced NEWDIR with another version
    that either tracked its use or restricted its use. Or both, I can't
    remember. Perhaps you could look for that.
    
    However, given that the ALL-IN-1 Manager must have at least SYSPRV,
    they can read any filecab document on the system anyway. Taking away
    CMDPRV would only stop anyone who had the slightest knowledge for a few
    minutes (or even seconds!!)
    
    Really, the solution is not technical, but Managerial. If you can't
    trust the ALL-IN-1 Manager not to abuse his privileges, then give
    someone else the job! Remind anyone privileged that reading someone
    else's mail is the same as searching their desk for paper mail, and in
    most countries would be a serious disciplinary or firing offence.
    
    Graham