- How can we use the adopted authority for users that have access to the command line?
- If I have 800 users working on an i5/OS400, what will be the acceptable average for users that have ALLOBJ special authority?
- Adopted authority is an attribute of a program and those programs can be used by users either with or without command line access. Adopted authority can be used in many ways. One way is to write a utility that performs the task of a user that needs more authority or more special authorities than the user has. For example, my clients will often write utilities to help their administrative staff create and manage user profiles, thus avoiding having to assign *SECADM to their profiles directly.
- Rather than answer your question directly, what I would encourage you to do is examine the roles within your organization that need *ALLOBJ to perform their job functions and limit the *ALLOBJ assignment to only those roles.
Roles such as the system administrator and security officer regularly run system functions that require *ALLOBJ, so you may want to assign those users (or the group profile representing the security officer role) *ALLOBJ special authority. How many users in each role really depends on how your organization is structured. Do you have a system administrator on site 24x7? If so, you will have more users with *ALLOBJ than an organization that has one or two administrators available during the 1st shift only. Who has *ALLOBJ also depends on how many "hats" one person wears. Sometimes the administrator is also the security officer -- so only one person would have *ALLOBJ. In some shops, these duties are separated.
There may be occasions when a non-administrator needs *ALLOBJ. So what I would do in that case is write a CL program that adopts a powerful (*ALLOBJ) user, performs the task and ends. Again, avoiding giving *ALLOBJ to the user directly.
So while it's not possible to give an exact number, *ALLOBJ needs to be truly limited to those roles that absolutely positively must have *ALLOBJ in their profile or their group's profile and the best way to determine this is to determine the roles on your system and what functions they must perform. (Note that programmers do NOT need *ALLOBJ special authority!)
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
When error messages arise concerning attempts to use a permanent system object without authority, find the source of the issue by looking for an AF ... Continue Reading