Create a groups profile with *ALLOBJ authority and status DISABLED. Put the user (i.e. the system operator who has USERCLASS *SYSOPR), that should have full object control in that groups profile, but give that user NOT the *ALLOBJ special authority. Now you can exclude that userID for the objects you don't want him to access (for instance the commands STRDFU, UPDDTA and STRSQL). The accessibility for all other objects in the system stays open, because his owning Groups profile has *ALLOBJ authority.