
	Home > Ask the AS/400 Experts > iSeries Security Questions & Answers > *Things about ALLOBJ special authority to be aware of**

Ask The iSeries 400 Expert: Questions & Answers

EMAIL THIS

Things about *ALLOBJ special authority to be aware of

EXPERT RESPONSE FROM: Carol Woodbury

		Pose a Question

		Other iSeries 400 Categories

		Meet all iSeries 400 Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 21 September 2004
We have been discovering many quirks for profiles with *ALLOBJ special authority. Specifically, we are finding that operators with *JOBCTL and *SPLCTL are not permitted to view the job log for any job running under a profile that has the *ALLOBJ authority. Why is this? Just displaying a job log seems harmless enough, especially given *SPLCTL and *JOBCTL are already specified.

Another thing we've discovered is that operators with *SECADM cannot see or work with user profiles if those user profiles were made by someone with *ALLOBJ. My understanding was that *SECADM allowed a user to do everything with user profiles, regardless of who created them. Why should this not be the case? Also, is there any systematic way to identify those profiles that were created by a profile with *ALLOBJ?

Finally, is there any place that documents these "exceptions" to the rules with *ALLOBJ special authority?

Yes, there are some things about *ALLOBJ special authority that you need to be aware of. While you may not consider looking at an *ALLOBJ joblog to be a problem, others do. Users with *ALLOBJ may have created profiles or other objects that you don't want just anyone knowing about, for example. If not being able to view the joblog of an *ALLOBJ user is an issue, you may want to consider writing a CL command that displays job logs and have the CL program be owned by and adopt the authority of a user with *ALLOBJ. Then authorize your operators to this program.

The issue with users that have *SECADM not being able to manage user profiles is not because the profiles were created by an *ALLOBJ user. It's because the *SECADM users don't have authority to the profiles. You must have *USE and *SECADM to change a profile.

These "exceptions" are all documented or noted in Appendix D of the iSeries Security Reference manual, available as a .PDF from the IBM Information Center

==================================
MORE INFORMATION ON THIS TOPIC
==================================

The Best Web Links: tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Check out this Search400.com Featured Topic: Top ten security tips

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	iSeries Security
	Changing password security levels and upgrading operating systems on the IBM i
	Determine the value of parameter UPPWEI in the DSPUSRPRF field
	Define journal code value "K"
	Modify content within a journal receiver file
	Change password parameters on the AS/400 without deactivating user's passwords
	Prevent insiders with READ or USE access from circumventing object authority on IBM i
	Prevent insiders from obtaining user ids and passwords on the IBM i
	Change the IBM i system to allow only certain types of SSL protocol versions
	Authorize a specific user to select files in a separate library
	Allow a user to view a library prod without granting full access to all data

iSeries system and application security

Developing a security incident response system for System i

Setting up security for programmers on IBM i

Blocking AS/400 DB2 users

Trouble accessing IFS path from Win2k3 server

Checking in on your IBM i authorization lists

Strategies for securing IBM i production files

Changing password security levels and upgrading operating systems on the IBM i

Determine the value of parameter UPPWEI in the DSPUSRPRF field

Define journal code value "K"

Modify content within a journal receiver file

iSeries physical security

Security considerations for IBM i backups

Time for a security checkup for your i

Recovering your AS/400 security configuration

A guide to System i security, part 2: Landing and establishing access

A guide to System i security: Descending into the heart of darkness of IT security

Learning guide: Steps to a secure System i

Securing printed output

12 security tips in 12 minutes

Are all of your System i (iSeries) doors closed? -- part 1

Can you trust all those trigger programs?

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

midrange (Search400.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

iSeries Networking - Printing, Remote Access, TCP/IP

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 1999 - 2009, TechTarget \| Read our Privacy Policy