I have been asked to reduce the number of *ALLOBJ and other special authorities from our users on six iSeries'. I am not sure how to approach this. I have started to look at the public authorities that exist, and have put the users in groups and granted the groups enough authority to the libraries and then to the files. This is after I have taken away the *ALLOBJ. Does this sound like the correct path?
Yes, you are going down the right path. If you can, you want to step back and not get caught up in the details too quickly. One approach to take is outlined in a publication in IBM's Infocenter. It's a publication called Basic Security and you can find it under the Security topic. It takes a high-level approach and then walks you through various levels until you're implementing the details. First it has you list out each application on your system, then the type of user needing to use each application, and then the access each type of user requires. The next section is to list out the types of users on the system and categorizing them into groups. Eventually you get down to moving users into groups and authorizing the groups to the objects directly or to authorization lists securing the objects.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
The UPPWEI field corresponds to the password expiration interval field, and its values "0" and "-1" represent the *SYSVAL and *NOXMAX commands. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.