Manage Learn to apply best practices and optimize your operations.

What authority do I need?

I have *SECADM special authority in my user profile. I have *ALL authority to specific library from which I need manually to delete the objects created by other users. How can I be able to do it without granting myself *ALLOBJ special authority or granting authority for each object created? Thanks in advance.
To determine what authority you need to perform some task on OS/400, you guidebook is Appendix D in the iSeries Security Reference manual. The Security Reference manual is updated each release and is available from IBM Information Center. Choose your region, then the release, then open the Security topic in the left navigation bar. The manual is in that list and is available as a .PDF. Appendix D lists all CL commands shipped with the system and the authority you need to perform each one. In general, you need *OBJEXIST to an object to delete it. This authority is typically only given to the owner of the object. So, to answer your question – how do you avoid giving yourself *ALLOBJ or *ALL to every object? You have a couple of options, but none is what I'd call "elegant" or are even the best option since some of them carry some additional security concerns.

Option 1: If all of the objects are owned by the same profile, you could add this profile as one of your groups. Since every member of a group profile essentially owns the objects the group owns, you'd have sufficient authority to delete the objects; however, unless you do this programmatically, by using an API such as the setgid APIs, which means the group is only temporarily added to your profile, this probably actually gives you more power than you want/need to have.

Option 2: Write your own version of the DLTPGM, DLTCMD, DLTF, etc commands that adopts an *ALLOBJ profile. This could get cumbersome depending on how many different object types you have to delete. But this is probably a better solution than Option 1.

Option3: Write a tool that either swaps to run as a profile that has *ALLOBJ or puts up a command line (e.g., CALL QCMD) that is using adopted authority. Again, probably not the best solution because the temptation may be too great to not use this interface all of the time.


The Best Web Links: tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Check out this Search400.com Featured Topic: Top ten security tips

Visit the ITKnowledge Exchange and get answers to your security questions fast.

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.