I think James is right.
MESECOFR creates user HRCLERK.
In 7.2 MESECOFR can grant HRCLERK ability to maintain data in the schema
HRDATA even though MESECOFR cannot get to that same data. MESECOFR has
*ALLOBJ and everything else. But still can't access that data.
So, MESECOFR can create a user called DELETEME. And grant DELETEME the
permission to get into that data. MESECOFR can signoff and sign back on
Here's a close analogy.
QSECOFR can do
and set them up so that they can only sign on to terminals they have
access to. Even if they have *ALLOBJ, etc.
QSECOFR tries to sign on to DSP01005 but cannot. So QSECOFR runs
GRTOBJAUT OBJ(DSP01005) OBJTYPE(*DEVD) USER(QSECOFR) AUT(*ALL)
and now they can sign on to DSP01005.
Or QSECOFR can run
CHGSYSVAL QLMTSECOFR ...
and turn it off and back on at will.
So don't give IBM more credit than they deserve. Or, on a more positive
spin, don't 'assume' it works like you want it to - verify.