On our iSeries, several users have *ALLOBJ authority. I want to revoke that without annoying these people with security issues. How can I determine which objects a particular user reads/opens/uses?
I understand why you're asking this question, but if you monitored everything that a user touches, you would be overwhelmed with the amount of information to the point of not being able to analyze it. The approach I would recommend for getting rid of *ALLOBJ is to first determine what applications each user runs, then determine how that application's security scheme is implemented. In other words, does the application require *ALLOBJ? If so, more work is required. But often, applications use adopted authority and so users don't have to be authorized to individual objects. If users are not running applications but are performing tasks like operators or developers, have them explain to you the tasks they are performing, then look in the iSeries Security Reference manual, Appendix D (available from IBM's Information Center) to determine what authorities they need to the commands they are running.
Dig Deeper on iSeries system and application security
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ...
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ...
The UPPWEI field corresponds to the password expiration interval field, and its values "0" and "-1" represent the *SYSVAL and *NOXMAX commands.
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.