My company uses a four-tier validation environment to control software change (dev., test, validation and controlled). Some programmers need *ALLOBJ, yet corporate policy refuses it in order to protect the validation and controlled environments -- fair enough. How can you secure a library in such a way that an *ALLOBJ programmer cannot access it?
You can't. Some people would attempt to control the programmer by removing the *ALLOBJ from the programmer, placing the programmer in a group profile and giving the *ALLOBJ to the group. Then you can grant the programmer *EXCLUDE authority to the library, prohibiting him or her from accessing it. The problem with that approach is that you have to secure many, many interfaces to ensure they can't get around this roadblock. For example, you'd have to exclude the programmer from all the profiles that are allowed to work with the library or else they could submit a job to run under one of those profiles. You'd have to secure the programmer from being able to create a program that adopts a profile that has authority to work with the library. Practically speaking, it is impossible to control access to a library when a user has *ALLOBJ -- even through a group profile.
A different approach to take might be to create tools for the change management process that adopt a powerful profile and enable the functions for which the programmers need *ALLOBJ. That way, the programmers can do their job but not be given *ALLOBJ. This should satisfy your corporate policy as well.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
On AS/400, the journal type AF subtype K, shows that a user profile lacks the special authority required by the function attempting to run. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.