-----Original Message----- From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Dan Sent: Friday, November 11, 2005 9:09 AM To: Security Administration on the AS400 / iSeries Subject: Re: [Security400] Seeing all authorities on DSPOBJAUT??? <*ALLOBJ trumps *PUBLIC *EXCLUDE? <Seems to be a catch-22 here. Assuming someone here can sign on as a *secofr <w/ *ALLOBJ authority, is there an easy way to quickly determine all of the <profiles that have *ALLOBJ authority? Yep. *ALLOBJ means the user has all object authority to any object on the system. Working for a security software vendor I can say there sure is - buy our products <G>. As a member of this list I suggest searching the archives or simply doing a DSPUSRPRF to an outfile and then scan the file for *ALLOBJ, *SECADM, *AUDIT, *IOSYSCFG and *SERVICE. Then have users with profiles containing these authorities justify why they need them. <When you talk about "clones of QSECOFR", I presume you are thinking of <copying the QSECOFR profile to another profile. But isn't the real clincher <to this is the new profile assumes the same *ALLOBJ authority that QSECOFR <has? Or is there some other property precludes the need for *ALLOBJ <authority? A profile that is an exact dulicate of QSECOFR has the ability to perform virtually any function on the system. This includes creating, changing and deleting user profiles as well as any other object on the system.
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.