Q
Manage Learn to apply best practices and optimize your operations.

Adopted authority and ALLOBJ special authority

I have two questions about security:
  1. How can we use the adopted authority for users that have access to the command line?

  2. If I have 800 users working on an i5/OS400, what will be the acceptable average for users that have ALLOBJ special authority?

I have two questions about security:
  1. How can we use the adopted authority for users that have access to the command line?

  2. If I have 800 users working on an i5/OS400, what will be the acceptable average for users that have ALLOBJ special authority?
  1. Adopted authority is an attribute of a program and those programs can be used by users either with or without command line access. Adopted authority can be used in many ways. One way is to write a utility that performs the task of a user that needs more authority or more special authorities than the user has. For example, my clients will often write utilities to help their administrative staff create and manage user profiles, thus avoiding having to assign *SECADM to their profiles directly.

  2. Rather than answer your question directly, what I would encourage you to do is examine the roles within your organization that need *ALLOBJ to perform their job functions and limit the *ALLOBJ assignment to only those roles.

    Roles such as the system administrator and security officer regularly run system functions that require *ALLOBJ, so you may want to assign those users (or the group profile representing the security officer role) *ALLOBJ special authority. How many users in each role really depends on how your organization is structured. Do you have a system administrator on site 24x7? If so, you will have more users with *ALLOBJ than an organization that has one or two administrators available during the 1st shift only. Who has *ALLOBJ also depends on how many "hats" one person wears. Sometimes the administrator is also the security officer -- so only one person would have *ALLOBJ. In some shops, these duties are separated.

    There may be occasions when a non-administrator needs *ALLOBJ. So what I would do in that case is write a CL program that adopts a powerful (*ALLOBJ) user, performs the task and ends. Again, avoiding giving *ALLOBJ to the user directly.

    So while it's not possible to give an exact number, *ALLOBJ needs to be truly limited to those roles that absolutely positively must have *ALLOBJ in their profile or their group's profile and the best way to determine this is to determine the roles on your system and what functions they must perform. (Note that programmers do NOT need *ALLOBJ special authority!)

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Close