Q
Manage Learn to apply best practices and optimize your operations.

Things about *ALLOBJ special authority to be aware of

We have been discovering many quirks for profiles with *ALLOBJ special authority. Specifically, we are finding that operators with *JOBCTL and *SPLCTL are not permitted to view the job log for any job running under a profile that has the *ALLOBJ authority. Why is this? Just displaying a job log seems harmless enough, especially given *SPLCTL and *JOBCTL are already specified.

Another thing we've discovered is that operators with *SECADM cannot see or work with user profiles if those user profiles were made by someone with *ALLOBJ. My understanding was that *SECADM allowed a user to do everything with user profiles, regardless of who created them. Why should this not be the case? Also, is there any systematic way to identify those profiles that were created by a profile with *ALLOBJ?

Finally, is there any place that documents these "exceptions" to the rules with *ALLOBJ special authority?


Yes, there are some things about *ALLOBJ special authority that you need to be aware of. While you may not consider looking at an *ALLOBJ joblog to be a problem, others do. Users with *ALLOBJ may have created profiles or other objects that you don't want just anyone knowing about, for example. If not being able to view the joblog of an *ALLOBJ user is an issue, you may want to consider writing a CL command that displays job logs and have the CL program be owned by and adopt the authority of a user with *ALLOBJ. Then authorize your operators to this program.

The issue with users that have *SECADM not being able to manage user profiles is not because the profiles were created by an *ALLOBJ user. It's because the *SECADM users don't have authority to the profiles. You must have *USE and *SECADM to change a profile.

These "exceptions" are all documented or noted in Appendix D of the iSeries Security Reference manual, available as a .PDF from the IBM Information Center

==================================
MORE INFORMATION ON THIS TOPIC
==================================

The Best Web Links: tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Check out this Search400.com Featured Topic: Top ten security tips


This was last published in September 2004

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...

Close