MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » January 2013

RE: Restrict User



fixed

Hi Vernon
Like I said - it's been a while since I last did anything like this, but if my memory is correct (no guarantee there) the system strives to give access to an object first, BEFORE it contemplates EXCLUDE. Therefore as the user is part of a group user profile, the user will have *ALLOBJ via the group profile.

Alan Shore
Programmer/Analyst, Direct Response
E:AShore@xxxxxxxx
P:(631) 200-5019
C:(631) 880-8640
"If you're going through Hell, keep going" - Winston Churchill


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Vernon Hamberg
Sent: Wednesday, January 02, 2013 12:58 PM
To: Midrange Systems Technical Discussion
Subject: Re: Restrict User

I believe there is a way to block access to things, even for a user with *ALLOBJ. I could not find it, though - it's the mechanism used by Application Administration in Navigator, IIRC.

So I googled it and found this idea in a Search400 tip from 2001 -

Is there a way to prevent a user with *ALLOBJ special authority from accessing specific files/programs until I can get the *ALLOBJ authority away from them?
A user with *ALLOBJ special authority has access to all objects on the system, no matter how the authority for the objects is set. You can, however, take a different approach to take away access to the files.
First, create a group profile with *ALLOBJ special authority using the CRTUSRPRF command. Make the user a member of this group with the CHGUSRPRF command. Also, take away the user's *ALLOBJ special Authority.
Use EDTOBJAUT for the individual files/programs and exclude the user from them.

Now, the user will not have access to the files/programs, but will have access to everything else on the system. OS/400 checks the individual user's authority to an object before it checks the group profile's special authority.

It's worth a try, eh?

Oh, yeah - the other things is "user function registration". Try GO CMDFCNUSG to see the commands. I don't know if the OS is set up to handle things like blocking command usage, however.

HTH
Vern

On 1/2/2013 10:55 AM, Alan Shore wrote:
Hi John
It's been awhile since I did anything like this, so here goes What
Special authority does this particular user have?
If they have *ALLOBJ then there is nothing that you can do unless this
special authority is first removed

Alan Shore
Programmer/Analyst, Direct Response
E:AShore@xxxxxxxx
P:(631) 200-5019
C:(631) 880-8640
"If you're going through Hell, keep going" - Winston Churchill


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John Mathew
Sent: Wednesday, January 02, 2013 11:51 AM
To: Midrange Systems Technical Discussion
Subject: Re: Restrict User



Thanks,

If I don't want user id to delete any libraries then?

John


________________________________
From: Jeff Young <jyoung0950@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Sent: Wednesday, 2 January 2013 8:45 AM
Subject: Re: Restrict User

Use the command:
GRTOBJAUT OBJ(LIBRARY)
OBJTYPE(*LIB)
USER(USER)
AUT(*EXCLUDE)

where LIBRARY is your library name.

On Wed, Jan 2, 2013 at 11:38 AM, John Mathew <johnmathew400@xxxxxxxxx>wrote:


I want to restrict a particular user ID for deleting a libraries.
he should not have access to delete the library.

Can some one please guide or suggest.

Thanks in advance.


John
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.



--
Jeff Young
Sr. Programmer Analyst
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.


Disclaimer: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.






Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact