|
Search the Security Reference Manual Appendix D (I could be wrong about which appendix). This will tell you the authority (and special authority) required by all commands. Find all of the commands that require *SAVSYS. Then run one of the user profile commands in the security toolkit to find all user profiles with *SAVSYS special authority. This should give you the same information as trying to audit/og when a command that required *SAVSYS special authority was run. Alternatively, you could turn command auditing on for a set of users and selct the entries from the audit journal that matched the list of commands defined in the sec ref manual appendix. On 3/23/06, Al Mac <macwheel99@xxxxxxxxxxx> wrote: > > I have created some special groups which do and do not have certain > authorities, then put users in the various groups. This makes it easy to > change the rules on clusters of individuals. They either do or do not > have > security to do certain things. This way I not have to manage all the > rules > on each person. Just add or remove the groups they in. > > >I am working to remove or at least limit, the hundreds of Special > >Authorities that have been assigned to our user profiles. > > > >Is there a way to audit the use of a special authority like *SAVSYS? > > > >I've always had the QAUDLVL system value option *SAVRST set on, but it > >apparently only tracks restore issues: > > > >*SAVRST > > Save and restore information is audited. The following are some > > examples: > > o When programs that adopt their owner's user profile are > > restored > > o When job descriptions that contain user names are restored > > o When ownership and authority information changes for objects > > that are restored > > o When the authority for user profiles is restored > > o When a system state program is restored > > o When a system command is restored > > o When an object is restored > > > >I want to know when an operation performed by ANY user profile required > >the Special Authority *SAVSYS.. > > > >Does anyone know how I might be able to do this? If it isn't possible... > >it sure should be! > > > > > >Kenneth > > > >**************************************** > >Kenneth E. Graap > >IBM Certified Specialist > >iSeries Multiple System Administrator > >NW Natural (Gas Services) > >keg@xxxxxxxxxxxxx > >Phone: 503-226-4211 x5537 > >FAX: 503-721-2518 > >**************************************** > > > >-- > >This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing > list > >To post a message email: MIDRANGE-L@xxxxxxxxxxxx > >To subscribe, unsubscribe, or change list options, > >visit: http://lists.midrange.com/mailman/listinfo/midrange-l > >or email: MIDRANGE-L-request@xxxxxxxxxxxx > >Before posting, please take a moment to review the archives > >at http://archive.midrange.com/midrange-l. > > > -- > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing > list > To post a message email: MIDRANGE-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/midrange-l > or email: MIDRANGE-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/midrange-l. > > -- Pat Botz pcbotz@xxxxxxxxx
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
