AUDITING the software's AUTHORITY

The Challenge: After going through our spreadsheet of users that required being removed, I was unable to locate any of those users in the EDI software. In order to complete our audit with E&Y we need the ability to show prove via query or report that the appropriate access is granted to users in the EDI software. Can you please provide either the table/file the users in EDI software side in or a report that can be run that shows what users have access? 

The Analysis: We are talking of two access points here, the IBMi and the EDI software. There two layers here: the IBMi user profile and the EDI software users. To get a list of IBMi users: from the command line=> DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) OUTFILE(YOURLIB/URFILENAME). The three most important fields in this file/list are:

• UPUPRF -  User Profile Name 

• UPGRPF  -  Group profile 

• UPTEXT  -  Text description 

And for the EDI software users in a file called UREDIDTALB/EDUSROPF:

The Solution: To show who has access (u.UPUPRF, u.UPTEXT, OAORAF) to the EDI software by group profile, we will need to left join EDUSROPF with URFILENAME as g with URFILENAME as u on g.UPUPRF=OAUSRN and g.UPUPRF=u.UPGRPF where g.UPGRPF='*NONE'.

To show who has access (u.UPUPRF, u.UPTEXT, OAORAF) to the EDI software by explcite user profile, we will need to left join EDUSROPF with URFILENAME on UPUPRF=OAUSRN.

And let them know, whoever is not in the above lists will have limited access.

Final NOTE: There is another layer of security: Menus - You need to be given access to the software's menu system to access the EDI system/transactions. 

The above solution controls the "Access to the EDI Software" but regular IBMi object authority is applicable. If you put a user id as *EXCLUDED (3) in the Organization Authorization, it does NOT mean to say that the user is not allowed to access the EDI libraries. This part is being controlled by the IBMi's Object Authorization. 

Thinking of a new CHALLENGE? Let us know HERE.