|
Well, primarily because QSECOFR has *ALLOBJ as you point out, but I think also because you shouldn't be running commands with the QSECOFR account. What are you trying to do with the user LTEIT? If you want LTEIT to be able to run any system command, that might be a start, but I think IBM purposely restricted the command STRHOSTSVR so you would have to change the authority to it yourself and you knew what the security was. A lot of people may just not worry about it and sign on as QSECOFR and start it when they want to. Regards, Jim Langston Programmer/Analyst Cels Enterprises, Inc. -----Original Message----- From: security400-admin@midrange.com [mailto:security400-admin@midrange.com]On Behalf Of Bale, Dan Sent: Monday, August 20, 2001 3:29 PM To: security400@midrange.com Subject: RE: [Security400] "Not authorized to command XXXXXXXX" This is a multi-part message in MIME format. -- [ Picked text/plain from multipart/alternative ] I used EDTOBJAUT per your advice. This seems to match what the security reference says. Why isn't QSECOFR in this list? Is it because it has *ALLOBJ special authority? Maybe I should just create a new PDM option: GRTOBJAUT &N *CMD USER(LTEIT) AUT(*USE) and use it on all command objects in QSYS? (LTEIT is the group profile for admins.) Dan Bale IT - AS/400 Handleman Company 248-362-4400 Ext. 4952 D.Bale@Handleman.com Quiquid latine dictum sit altum viditur. (Whatever is said in Latin seems profound.) -------------------------- Original Message -------------------------- > -----Original Message----- > From: Jim Langston [SMTP:jlangston@celsinc.com] > Sent: Monday, August 20, 2001 6:00 PM > To: security400@midrange.com > Subject: RE: [Security400] "Not authorized to command XXXXXXXX" > > Generally what I do when I come across this type of situation is I > EDTOBJAUT > on the given command and see how they are currently set up. I see on > our > system it is also set up: > > Object > User Group Authority > QSYS *ALL > QSRV *USE > QSRVBAS *USE > QSYSOPR *USE > QPGMR *USE > *PUBLIC *EXCLUDE > > which basically means the system, programmers and the security officer > can > run the command. If I wanted someone else to use this command I would > add > them as *USE. > > EDTOBJAUT is generally the first place I look when securing or > unsecuring > commands. > > Regards, > > Jim Langston > Programmer/Analyst > Cels Enterprises, Inc. > > -----Original Message----- > From: security400-admin@midrange.com > [mailto:security400-admin@midrange.com]On Behalf Of Bale, Dan > Sent: Monday, August 20, 2001 2:40 PM > To: security400@midrange.com > Subject: [Security400] "Not authorized to command XXXXXXXX" > > > <SNIP> > Am I correct that I can give the group profile for admins *USE > authority > to the STRHOSTSVR command to solve our dilemna? Or is there something > else that needs to be done? > > Dan Bale > <SNIP> _______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@midrange.com To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/cgi-bin/listinfo/security400 or email: Security400-request@midrange.com
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
