Risk associated with *ALLOBJ access in iSeries
What is the risk associated with a user having *ALLOBJ access without command line access? Is having such access equivalent to granting a user access to modify the production environment?
Any time you give a user *ALLOBJ access, you are giving them the authority to access any object on the system, including production data. Even though they may not have access to a command line, they can still access the objects through FTP and ODBC. If you give them the ability to launch iSeries Navigator, there are numerous ways to access the data. Also, if you give them the ability to create or modify queries, they will be able to create and run a query against any database file.
Net: You should only give *ALLOBJ to very trusted users. Do not assume that there is a way to control an *ALLOBJ user, because there isn't.
This was first published in February 2008