|
You can't. Some people would attempt to control the programmer
by removing the *ALLOBJ from the programmer, placing the programmer
in a group profile and giving the *ALLOBJ to the group. Then you can
grant the programmer *EXCLUDE authority to the library, prohibiting
him or her from accessing it. The problem with that approach is that
you have to secure many, many interfaces to ensure they can't get
around this roadblock. For example, you'd have to exclude the
programmer from all the profiles that are allowed to work with the
library or else they could submit a job to run under one of those
profiles. You'd have to secure the programmer from being able to
create a program that adopts a profile that has authority to work
with the library. Practically speaking, it is impossible to control
access to a library when a user has *ALLOBJ -- even through a group
profile.
A different approach to take might be to create tools
for the change management process that adopt a powerful
profile and enable the functions for which the
programmers need *ALLOBJ. That way, the programmers can
do their job but not be given *ALLOBJ. This should
satisfy your corporate policy as well.
==================================
MORE INFORMATION ON THIS TOPIC
==================================
The Best Web Links: tips, tutorials and more.
Search400's targeted search
engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by
answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
|
