Powertech Policy Minder for IBM i
July 2022
Version 2.3
July 19, 2022
Enhancements
-
For system value policy QSSLCSL, all new values introduced in IBM i 7.4 are now supported.
-
For system value policy QSSLPCL, the *TLSV1.3 value is now supported.
Fixes
-
Updated to Log4j 2.17 to resolve vulnerabilities.
-
*DIRAUT policy now correctly allows new directory.
-
Fixed an issue where the license screen could not be displayed if the SKYPM menu was displayed, without first explicitly adding the product library to the library list.
-
Fixed an issue where failed upgrades were being reported as successful.
-
Fixed an issue where CHECK command fails to run DB reorganization step.
-
Fixed USROBJ category in Policy Minder WEB UI showing value *ANY as out of compliance.
-
Fixed an issue when configuring the JOBD category, where changes to the job descriptions on the policy list were not saved.
-
Fixed an issue where compliance displayed for DIRAUT was incorrect.
-
ANZSQLINF report now displays all programs with a Dynamic SQL statement.
-
Fixed an issue with value prompting that occurred when the user defined an object template under Directory Authorities.
-
Fixed an issue where not all system values were being displayed on IBM i 7.4 systems.
-
Fixed "Date too short for specified format" error.
-
Fixed an issue where authorization list values in Compliance check become hidden.
-
Fixed an issue with *ALLCRTCHG missing from system value policy QPWDRULES.
-
Fixed an issue where email addresses that contained a numeric value as a leading character generated an error.
-
Fixed an issue where library templates that used "?" in position 10 caused a check to fail.
-
Fixed an issue where email sending could fail if multiple instances of the command SNDEMLMSG existed on a system.
August 2018
Version 2.2
Enhancement
- A new version of MSS has been introduced.
Fixes
- An issue causing missing libraries in the *LIBAUT template in WRKPOL has been resolved.
- Policy Minder libraries are now shipped with Object Authority *PUBLIC *EXCLUDE *CHANGE.
- An issue causing the INZPOL command to fail to release a lock on the relevant record in the SKYCA file when used on some categories has been resolved.
- An issue with the FIXLIBAUT command preventing new libraries from being fixed instantly has been resolved.
- An issue causing missing entries subsequent to entries containing the ? (wildcard) character after save in the *USRPRF template has been resolved.
- An issue preventing MSS template import across Policy Minder versions has been resolved.
- A problem causing option 12 in Work with Compliance to incorrectly report that a compliance check has not been done has been resolved.
- An issue preventing the ability to download reports after upgrading from version 1.6 to 2.1 has been resolved.
- A problem causing incomplete policy export has been resolved.
March 2018
Version 2.1
- The ANZSQLINF report now lists only programs with embedded SQL and those that include at least one PREPARE, EXECUTE, or DESCRIBE statement.
- A problem causing missing libraries when using a generic character (e.g. D*) in WRKPOL while changing *LIBAUT templates has been resolved.
- The object authority on Policy Minder libraries SKYVIEWPMP and SKYVIEWPMD has been corrected. It is now *PUBLIC *EXCLUDE (not *PUBLIC *CHANGE).
- The INZPOL command no longer fails to release a lock on the relevant record in the SKYCA file when used on the following categories:
- *SHARES Record 9
- *LMTCMD Record 10
- *JOBD Record 11
- *USROBJ Record 12
January 2018
Version 2.0
New Features
- *USRPRF (User Profile category):
- Multiple *DELETE templates can now be created and the *DELETE template that is shipped with the product can be deleted. Creating a new template whose name starts with ‘*DELETE’ will automatically use the *DELETE template format. This allows you to have a scheduled job to automatically delete inactive profiles and use another *DELETExx template to delete profiles on an ad hoc basis.
- You can now include or omit profiles based on the password last changed date. This is especially helpful for organizations that perform frequent role swaps. The users’ last sign on date is not replicated so it’s difficult to know when a profile is inactive. However, the user’s password is replicated; therefore, you can know that a profile is inactive by examining the password last changed date.
- A new value - *SPCGRP – is available that includes (or omits) profiles whether the special authority is assigned to the user or one of the group profiles. The current value *SPCAUT only includes profiles where the special authority is assigned directly to the profile.
- You can now check and fix the Printer, Output queue, and Object owner user profile attributes.
- The Owner attribute has been changed to be Profile owner to clarify that this attribute is the user profile owner, and not the object owner.
- *LIBAUT (Library authority category):
- The maximum number of object templates has been increased from 999 object templates to 9999.
- Attributes have been created that will allow you to Include or Omit files (tables) that have been created using SQL.
- PF-TBL – SQL table
- LF-INDEX – SQL index
- LF-VIEW – SQL view
- *DIRAUT (Directory authority category):
- The maximum number of object templates has been increased from 999 object templates to 9999
- *SHARES: The Access attribute has been added to each share to indicate whether the share is a Read/Write or Read-only share. If you are already using this category, the attribute will be added to the existing policy when you upgrade the product.
- Exporting individual policies: You can now export an individual template. This allows you to more easily manage your policies from a central partition and not have to export an entire category.
- Output Compliance (OUTCPL) command: This command now allows you to:
- Send the results of a compliance check to an outfile or streamfile for all categories. In previous releases only the *USRPRF, *LIBAUT and *DIRAUT categories were supported by this command.
- Email the streamfile (.csv) off the system.
- New FIXIT parameter: A parameter has been added to suppress the compliance check that, by default, occurs after FixIt runs. This is helpful when you have a limited time to run FixIt – this often occurs when you must run FixIt when objects aren’t in use (that is, locked) and have to run FixIt during an outage. Now you can schedule or run FixIt during the outage and run the compliance check after the system has been brought back up.
- Email support: Policy Minder now allows you to specify the sender of the email. Previous releases hard-coded the sender to the profile running the compliance check @partition_name.com. When the partition name wasn’t a valid domain name, the email often failed to send.
Enhancements
- You can now create a *USRPRF, *LIBAUT and *DIRAUT template that specifies objects that don’t exist when either Including or Omitting objects or when defining the policy values (for example, the authorization list securing objects in a library.) Previously, the objects had to exist. This change will allow you to more easily manage policies from a central partition without having to create objects so the template could be created.
- Option 11 – FixIt (on the Policy Minder Main Menu) now prompts the FIXIT command, defaulting to run in Test mode rather than prompting to run FIXIT by category.
- Changing a System value category or a template in the *USRPRF, *LIBAUT or *DIRAUT categories to disable the compliance check will no longer automatically cause the category to be out of compliance. In previous releases, disabling the compliance check on one of these set the compliance status of the category to Not compliant, even when the items checked were all compliant.
- Alerts sent to Vision Solutions’ VSP and iOptimize will no longer occur.