|
Now, if instead of the user having *ALLOBJ, you've given *ALLOBJ to
the
group profile the user belongs to, then you could explicitly deny the user access to the object; since the users individual permissions are check before his group profile permissions.
That is a mere technical slight of hand - and I wouldn't recommend it. If you deny me access to an object, but permit me access to the *ALLOBJ capability, I can use the *ALLOBJ capability in any number of ways to get past the object restriction. Here is the easiest way... Where I am user JETST - a regular *USER with no special authority, but JETST belongs to group JEGRP. And JEGRP has *ALLOBJ authority And JOHNE is also a *ALLOBJ user User JETST submits the following command... SBMJOB CMD(GRTOBJAUT OBJ(QGPL/QDDSSRC) OBJTYPE(*FILE) USER(JETST) AUT(*ALL)) USER(JOHNE). End result, user JETST has *ALL authority to QGPL/QDDSSRC because JETST has the authority to *USE profile JOHNE (he got that authority from the *ALLOBJ in his group), and because user JOHNE has the authority to change the files authorities. jte
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
