|
Allen, You're right. It's a combination of the *ALLOBJ and *SECADM that allows your operator to change QSECOFR's password. The only way to prevent this is to take one of both of these special authorities from the operator. As for allowing the operator to change passwords, that can easily be done via an adopted authority program that. News/400 published one of mine in October 1993 that will do the job, and prevents the operator from changing the authority of a *ALLOBJ user. If you download that one, you might want to update it a bit because it's a bit dated. There are also commercial packages available that do this. The one I like is from Rapport Software (www.rapportsoftware.com), it is pretty comprehensive and reasonbly priced as well. jte Allen, Stuart wrote: > I have the following setup for authorised users/programs to have authority > to QSECOFR's userprofile: > > Object -----Object------ ------Data------- > > User Group Authority O M E A R R A U D E > > QSYS *ALL X X X X X X X X X X > > INTERCEPT USER DEF X X X X X X > > ALLENS USER DEF X X X X X X > > MYERSP USER DEF X X X X X X > > MORRISAM USER DEF X X X X X X > > STX400 USER DEF X X X X X X > > *GROUP QSECOFR *ALL X X X X X X X X X X > > *PUBLIC *EXCLUDE > > Intercept and STX400 are programs, ALLENS, MYERSP & MORRISAM are users. > > > However, an operator managed to change the QSECOFR password! They have a > following authorities: > > User Group *ALL *AUD SYS *JOB *SAV *SEC *SER *SPL User > > Profile Profiles OBJ IT CFG CTL SYS ADM VICE CTL Class > > EADESP X X X X *PGMR > > QPGMR X X X > > I assume its the *secadm thats letting them do it, but this user needs to be > able to change/add/delete userprofiles, BUT NOT QSECOFR!!! How can i set > things up so that this is the case? > > Regards, > Stuart > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- -- John Earl johnearl@powertechgroup.com The PowerTech Group 206-575-0711 PowerLock Network Security www.400security.com The 400 School www.400school.com -- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
