Midrange Guru - OS/400 Edition

OS/400 Edition
Volume 2, Number 8 - February 1, 2002

Getting Past *ALLOBJ Authority

Hey, Ted:

As you know, a user who is granted *ALLOBJ authority has access to all objects in the system.

How can I exclude the access to an object for those users?

-- Sam

There is no foolproof way to keep a user with *ALLOBJ authority from accessing an object.

Sam, here is one method that works in certain situations.

Do not grant *ALLOBJ authority directly to the user.

Instead, grant *ALLOBJ authority to a group profile.

CRTUSRPRF USRPRF(somegroup) SPCAUT(*ALLOBJ)

Make the user part of the group.

CHGUSRPRF USRPRF(someuser) GRPPRF(somegroup)

Revoke the user's authority to access the object.

GRTOBJAUT OBJ(mylib) OBJTYPE(*FILE) +
   USER(someuser) AUT(*EXCLUDE)

The individual authorities of a user profile take precedence over group authorities, so the user is forbidden to access the object.

However, be aware that a skilled user with access to a command line can regain the authority you took away from their profile by submitting a batch job under the group profile.

I recommend that you audit access to the objects that you are trying to protect.

-- Ted

Sponsored By
WORKSRIGHT SOFTWARE, INC.

Indiana and Arkansas have new area codes! How are you going to update your customer files?

We have the answer. Our ZIP/CITY System for the AS/400 can automatically update your customer files for this area code split and future ones as well.

Visit our Web site www.worksright.com to learn more about ZIP/CITY. We offer a free, no-hassle, 30-day trial. Phone, fax, e-mail us, or order your free trial directly from our Web site.

THIS ISSUE
SPONSORED BY:

WorksRight Software

LANSA

BACK ISSUES

TABLE OF CONTENTS

Getting Past *ALLOBJ
Authority

It's Hard to Find Hard
Links

Reader Feedback and Insights

	Newsletters \| Subscribe \| Advertise \| About Us \| Contact \| Search \| Home
	Last Updated: 2/1/02 Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.