Some ideas to create an environment for programmers that is secure yet lets them work effectively.
- Do not grant all special authorities to programmers. Only issue special authorities that they need to do their work. Only a security officer profile should have *ALLOBJ authority.
- Set programmers up in a group, but don't associate them with the special QPGMR profile provided by IBM as that has some special qualities that you don't want associated with programmers.
- Don't give programmers direct access to production libraries. Set up test libraries and control the distribution of live data into them. To create test data, set up a special copy program that adopts the necessary authority to create copies of production files in your test environment. Monitor the use of that program including maintaining an internal log of when it is used and by whom.
- Consider changing compile commands so they only run in batch. And default programmers to the QPGMR subsystem with priority 30 so they can't stealing CPU cycles from production. Also consider restricted access to the CHGJOB command.
- When pushing an application from testing into production, review all data and program objects to make sure that programmer ownership has been removed and that the objects are now all owned by a profile that will be used to control production access.
- Maintain a separate set of files for program source that is being developed. Do not give open access to production versions of source code. Move source in and out of test mode in a controlled way and log when source members are moved in either direction. You can do this from a special program that adopts the necessary authority to make the source member moves and logs use activity.
- Enforce password rules for programmers.
- If a programmer absolutely requires *ALLOBJ, consider adding security to their user profile by requiring a 2 Factor Authentication (2FA) logon protocol. You should also consider Tracking file level changes for important source code.
- Host a client LPAR to create a separate partition on your system where the programmers can have full access while still restricting access in your production environment.