MIDRANGE dot COM Mailing List Archive



Home » SECURITY400 » December 2009

Re: Removing *ALLOBJ from user profile



fixed

Ron -

The profile 'owns' an application but it has QPGMR as the group profile and
*GRPPRF as the 'OWNER', so the profile itself doesn't actually own anything
other than a couple of IFS directories.

I don't see a way to DSPLOG by user ID - only by job/number/user and I don't
know 2 of the 3.
I also have no utility for analyzing QHST.

The profile is PUBLIC *EXCLUDE so no one is using it to SBMJOBs.


"Ron Boris" <i@xxxxxxxxxxxx> wrote in message
news:mailman.2626.1260560260.31599.security400@xxxxxxxxxxxxxxx
Steve,

You can use auditing to analyze the profile. See "Auditing the security
officer's actions"
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rzamv/rzamvaudit
secofraction.htm or
http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/topic/rzarl/rzarlaud
action.htm.

If the profile is only used for running a limited number of scheduled
batch
jobs and you have a test environment, it might be simpler to create a test
profile without *ALLOBJ authority and run the scheduled jobs in the test
environment using this profile to see what problems pop up.

If it's used for ad-hoc submitted jobs, you can find jobs run by the user
in
QHST using DSPLOG or a utility (e.g., TAATOOLS).

How is the profile used? Do many users have access to it for submitting
jobs? I assume from your message that it is disabled for interactive
signon. How many different jobs need to be analyzed? Are these scheduled
or on-demand?

Do you have a test environment? Do you have a utility for analyzing the
history log?

Thank you for your support,

Ron









Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact