MIDRANGE dot COM Mailing List Archive



Home » SECURITY400 » December 2009

Re: Removing *ALLOBJ from user profile



fixed

Steve,

You can use auditing to analyze the profile. See "Auditing the security
officer's actions"
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rzamv/rzamvaudit
secofraction.htm or
http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/topic/rzarl/rzarlaud
action.htm.

If the profile is only used for running a limited number of scheduled batch
jobs and you have a test environment, it might be simpler to create a test
profile without *ALLOBJ authority and run the scheduled jobs in the test
environment using this profile to see what problems pop up.

If it's used for ad-hoc submitted jobs, you can find jobs run by the user in
QHST using DSPLOG or a utility (e.g., TAATOOLS).

How is the profile used? Do many users have access to it for submitting
jobs? I assume from your message that it is disabled for interactive
signon. How many different jobs need to be analyzed? Are these scheduled
or on-demand?

Do you have a test environment? Do you have a utility for analyzing the
history log?

Thank you for your support,

Ron







Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact