Ask the Expert

Risk associated with *ALLOBJ access in iSeries

What is the risk associated with a user having *ALLOBJ access without command line access? Is having such access equivalent to granting a user access to modify the production environment?
Any time you give a user *ALLOBJ access, you are giving them the authority to access any object on the system, including production data. Even though they may not have access to a command line, they can still access the objects through FTP and ODBC. If you give them the ability to launch iSeries Navigator, there are numerous ways to access the data. Also, if you give them the ability to create or modify queries, they will be able to create and run a query against any database file.

Net: You should only give *ALLOBJ to very trusted users. Do not assume that there is a way to control an *ALLOBJ user, because there isn't.

This was first published in February 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: