MIDRANGE dot COM Mailing List Archive



Home » SECURITY400 » December 2009

Re: Removing *ALLOBJ from user profile



fixed

Steve McKay wrote:

The profile 'owns' an application but it has QPGMR as the group profile and
*GRPPRF as the 'OWNER', so the profile itself doesn't actually own anything
other than a couple of IFS directories.

Steve:

I would recommend not having an IBM profile being a group profile, but that isn't an issue for the circumstance you describe. It doesn't matter that the *GRPPRF is specified to own created objects, so that's irrelevant except perhaps to explain how ownership went to the group profile. It won't affect anything related to deleting this profile.

I don't see a way to DSPLOG by user ID - only by job/number/user and I don't know 2 of the 3.
I also have no utility for analyzing QHST.

I don't see any reason to review QHST. It's possible that something might catch your eye; other than that, it shouldn't provide any help. OTOH, if significant auditing is enabled, any audit journal entries under this profile would be important to follow up.

The profile is PUBLIC *EXCLUDE so no one is using it to SBMJOBs.

If no other profiles have at least *USE authority and the profile that owns this profile is under control, then it seems things are covered.

Without authority to the profile and with no password, other profiles shouldn't be able to start jobs using it, nor can they switch to it -- unless they already have as much authority as this one could provide. If other profiles have access to any program that can adopt enough authority to perform the switch, then other powerful profiles are as much at risk.

If this profile owns nothing but /root directories and/or streamfiles, there doesn't seem to be any point to the existence of this profile.

If no audit entries show up, I can't think of any reason not to delete it. It doesn't seem to have any use, even as an owner.

Tom Liotta






Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact