Manage Learn to apply best practices and optimize your operations.

Excluding a user profile

Is there a command that allows you to exclude a user profile for everything but a few specific objects without having to assign *EXCLUDE to all objects on the system?
No, but . . .
Rather than think of excluding a user from every object on the system, think of excluding a user (or their group) from applications. If you think about how applications are implemented, they are typically a set of libraries and/or directories. If you exclude a user (or their group) from the library or directory, they cannot access anything in the library or directory. For the libraries the user does need access to, you're going to have to determine whether you need to exclude the user from other objects in that library. But rather than thinking of excluding someone from every object on the system, try stepping back and taking a slightly broader approach. Hopefully the task won't seem so daunting that way.


The Best Web Links: tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Check out this Search400.com Featured Topic: Top ten security tips

Dig Deeper on iSeries system and application security

iSeries authority -- How the system checks it When a user attempts to perform an operation on an object, the system verifies that the user has adequate authority for the operation. The system first checks authority to the library or directory path that contains the object. If the authority to the library or directory path is adequate, the system checks authority to the object itself. In the case of database files, authority checking is done at the time the file is opened, not when each individual operation to the file is performed.

During the authority-checking process, when any authority is found (even if it is not adequate for the requested operation) authority checking stops and access is granted or denied. The adopted authority function is the exception to this rule.

Adopted authority can override any specific (and inadequate) authority found.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.