Scenario: At our company, programmers have *USE authority to production libraries. We have a procedure in place, to give additional authority to programmers when needed to fix critical problems. The programmer calls our operations department, and request temporary *ALLOBJ access. The operator will invoke an in-house application, from a menu, and record "why" the programmer needed the access, put in the programmer's user I.D. etc. (in the background, *ALLOBJ is added to the programmer's user profile, auditing is invoked, and a time limit is set on when to expire this access, etc.). Also, an audit report is generated with log of the programmer's activity; the security administrator for abuse can then review this audit log. Our application managers would like to see programmers have the capability to give themselves the *ALLOBJ access via our application and menu option, instead of having to call operations. Please refer to my earlier questions.
I believe that you want to keep your current implementation. That way you have a clear and separate path to programmers' obtaining *ALLOBJ special authority. This method I believe should pass an audit. You will have a much more difficult time getting the proposed method through an audit.
================================== MORE INFORMATION ON THIS TOPIC ==================================
The Best Web Links: Tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Read this Search400 Featured Topic: Secure your iSeries
This was first published in May 2002