|
Laurence:That's really useful information. Thanks. Security profiles are going to be
If they are truly a system administrator, without adding some of the newer
security features that IBM gave us in the more recent Technology Refreshes
and/or V7R4, there is next to no way to stop them from seeing production
data. If they want to, they will. The moment they have access to a
QSECOFR
type profile, that door is open and you will have a real hard time shutting
it.
DO NOT let them use QSECOFR, in either IBM i or SST. Keep that profile
for
your organization. Create a new profile specifically for them that has
*ALLOBJ and *SECADM in addition to the list you provided. Do not put
*AUDIT in the list.
Create a profile in SST that has the authority you wish to give them, but
frankly to do the administrators job, they will need everything there.
Note: giving someone *JOBCTL also includes *SPLCTL so that's redundant.
No problem with it, just redundant.
Your list of special authorities below with allow them to do 90% of what
they need to do.
Who is going to manage user profiles? That list will not allow user
profile
maintenance ( a good thing given your questions premise ). To maintain
user
profiles you would need authority to the profile itself, and *SECADM.
--
Jim Oberholtzer
Agile Technology Architects
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
