Risk associated with *ALLOBJ access in iSeries

ISeries security expert Carol Woodbury discusses the risks associated with granting users *ALLOBJ access.

What is the risk associated with a user having *ALLOBJ access without command line access? Is having such access equivalent to granting a user access to modify the production environment?
Any time you give a user *ALLOBJ access, you are giving them the authority to access any object on the system, including production data. Even though they may not have access to a command line, they can still access the objects through FTP and ODBC. If you give them the ability to launch iSeries Navigator, there are numerous ways to access the data. Also, if you give them the ability to create or modify queries, they will be able to create and run a query against any database file.

Net: You should only give *ALLOBJ to very trusted users. Do not assume that there is a way to control an *ALLOBJ...

user, because there isn't.

This was last published in February 2008

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: