You can take out ALL the guess work. The operating system has support to give you the info you need. Authority Collection, you turn it on, and a flight recorded is created that records EVERY object and the Authority needed, and how the user got access to that object. You can do this on a per user basis or by object.
https://www.ibm.com/docs/en/i/7.3?topic=reference-authority-collection
Its also all controllable using Navigator.
Turn it on for the 9 users.. have them run for a day or 2.. and now you can see every object they touched, and what the actual authority need is. Give you the exact details so you can make the change to remove *ALLOBJ without breaking things.
Thanks Tim
[Logo Description automatically generated]Tim Rowe - timmr@xxxxxxxxxx<mailto:timmr@xxxxxxxxxx>
STSM – Application Development & Systems Management
IBM i ISV Council
IBM i Development Lab, Rochester MN
507-250-1293
ACS -
http://ibm.biz/IBMi_ACS
Navigator -
http://ibm.biz/IBMi_Nav4i
message: 1
date: Mon, 13 May 2024 14:04:32 +0000 (UTC)
from: "ubelhor@xxxxxxxxxxxxx" <ubelhor@xxxxxxxxxxxxx>
subject: Re: Users with *ALLOBJ
They think that they do because of an application that creates temporary work files that are used by multiple users and also because they need to transfer files from the IBM i to the network or their desktop.? ?Our thought is to work on the access 1 user at a time until we are through the 9 users left with *ALLOBJ.? ?They have a concern if we take the authority away something will be messed up that can't be recreated but think likely once we have success working with getting all working for 1 system user we will have a better idea.? ?We were considering using the security audit journal to gather information but I'm thinking instead we just take away the authority and address as needed.
Regards,Laura
Laura A. UbelhorPresidentConsultech Services, Inc.www.consultechservicesinc.com
phone 248-701-7410
On Sunday, May 12, 2024 at 12:19:08 AM EDT, Roger Harman <roger.harman@xxxxxxxxxxx> wrote:
My first thought was...? Why do the *users* know, or think they know, that they need *ALLOBJ authority?
That's kind of getting into the weeds for end-users.
Roger Harman
COMMON Certified Application Developer - ILE RPG on IBM i on Power
*******************************************
As an Amazon Associate we earn from qualifying purchases.