Revoking *ALLOBJ authority
On our iSeries, several users have *ALLOBJ authority. I want to revoke that without annoying these people with security issues. How can I determine which objects a particular user reads/opens/uses?
I understand why you're asking this question, but if you monitored everything that a user touches, you would be overwhelmed with the amount of information to the point of not being able to analyze it. The approach I would recommend for getting rid of *ALLOBJ is to first determine what applications each user runs, then determine how that application's security scheme is implemented. In other words, does the application require *ALLOBJ? If so, more work is required. But often, applications use adopted authority and so users don't have to be authorized to individual objects. If users are not running applications but are performing tasks like operators or developers, have them explain to you the tasks they are performing, then look in the iSeries Security Reference manual, Appendix D (available from IBM's Information Center) to determine what authorities they need to the commands they are running.
This was first published in February 2005