AS/400 security auditing and *ALLOBJ access

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries Security Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions Authorize a specific user to select files in a separate library Allow a user to view a library prod without granting full access to all data

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The client's answer is obviously wrong. *ALLOBJ gives them the ability to do whatever they want to to an object. There are numerous issues with the scenario you described. First, programmers should not be promoting their own objects (no separation of duties there!). Second, programmers should not permanently need *ALLOBJ assigned to their profiles. If it is a small shop, there are occasions when programmers may need more capabilities, such as during a system or application update. I would audit the commands the programmers run by using the CHGUSRAUD command, specifying *CMD for the AUDLVL parameter. Then monitor this activity in the audit journal by looking for CD entries.