× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 2004

RE: Locking out USRPRF with *ALLOBJ

midrange-l-request@xxxxxxxxxxxx wrote:

>   6. Locking out USRPRF with *ALLOBJ (Bill Freiberg)
>
>Is there a way to lock a USRPRF that has ALLOBJ authority out of a specific
>library and/or command?
>
>I have changed the objects I want to protect from this specific usrprf to
>*EXCLUDE any authority to the profile, but the profile can still access the
>command and library.

Bill:

Easiest way I can think of:

 ==> chgusrprf  allobjusr password(*NONE) status(*DISABLED)

and maybe throw in inlpgm(*NONE) inlmnu(*SIGNOFF) for good measure.

To be honest, even that might not be sufficient unless you can guarantee all 
past actions have been fully audited and accounted for. (And I doubt that goes 
far enough.)

In general, you'll then have an *ALLOBJ user profile who can't access the 
commands or libraries... unless some other user profile has authority to use 
that profile to cause things to be done or... ?

There are other cruder hacks that are not secure and _NOT_ recommended but can 
be used in times of need in order to get past temporary obstacles, but the only 
reasonable solution is not to give *ALLOBJ to someone who shouldn't have access 
to _ALL OBJECTS_.

For example, you can put *ALLOBJ in a group profile, remove it from the user 
and then add the user to the group. Private *EXCLUDE authorities then take 
effect for the user. Of course, the user can use the group *ALLOBJ to take all 
kinds of routes around the restriction and even remove the restriction, but 
I've found it to be useful when keeping new people or trainees from shooting 
themselves in the foot. Sometimes crude methods are appropriate and aren't 
significantly worse than giving *ALLOBJ directly.

Only you know the circumstances you're in. I don't suppose you could describe 
the business case for granting *ALLOBJ while restricting specific object 
access? Maybe there's an appropriate technique for you.

Tom Liotta

-- 
Tom Liotta
The PowerTech Group, Inc.
19426 68th Avenue South
Kent, WA 98032
Phone  253-872-7788 x313
Fax    253-872-7904
http://www.powertech.com


__________________________________________________________________
Switch to the New Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need. 

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.