Manage Learn to apply best practices and optimize your operations.

Securing a library

My company uses a four-tier validation environment to control software change (dev., test, validation and controlled). Some programmers need *ALLOBJ, yet corporate policy refuses it in order to protect the validation and controlled environments -- fair enough. How can you secure a library in such a way that an *ALLOBJ programmer cannot access it?

You can't. Some people would attempt to control the programmer by removing the *ALLOBJ from the programmer, placing the programmer in a group profile and giving the *ALLOBJ to the group. Then you can grant the programmer *EXCLUDE authority to the library, prohibiting him or her from accessing it. The problem with that approach is that you have to secure many, many interfaces to ensure they can't get around this roadblock. For example, you'd have to exclude the programmer from all the profiles that are allowed to work with the library or else they could submit a job to run under one of those profiles. You'd have to secure the programmer from being able to create a program that adopts a profile that has authority to work with the library. Practically speaking, it is impossible to control access to a library when a user has *ALLOBJ -- even through a group profile.

A different approach to take might be to create tools for the change management process that adopt a powerful profile and enable the functions for which the programmers need *ALLOBJ. That way, the programmers can do their job but not be given *ALLOBJ. This should satisfy your corporate policy as well.


The Best Web Links: tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Check out this Search400.com Featured Topic: Top ten security tips

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.