However, the command line is not restricted to these individuals. Is there any risk here? Is it possible for a creative or smart individual to circumvent object authority and update production data or programs?
The only way users would be able to circumvent the object authority is if they have *ALLOBJ special authority or if they are able to gain more authority than they currently have. For example, a user would be able to gain more authority by calling a program that adopts a powerful user such as QSECOFR and puts up a command, or if they had *USE authority to a powerful profile and could swap to it. Default authority to user profiles is *PUBLIC *EXCLUDE so this would have had to been a conscious choice to open up access to the profile.
In addition, you have to have *ALLOBJ authority yourself to be able to create a program that adopts QSECOFR or some other *ALLOBJ profile.
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
The UPPWEI field corresponds to the password expiration interval field, and its values "0" and "-1" represent the *SYSVAL and *NOXMAX commands. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.