× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



On the IBM SECTOOLS menu (go sectools) opt 49 Print User Profiles has
a select to print special authorities.
Lots of other good reports.
Jim Franz

----- Original Message ----- From: "Gary Monnier" <gary.monnier@xxxxxxxxxxxxx> To: "Security Administration on the AS400 / iSeries" <security400@xxxxxxxxxxxx>
Sent: Friday, November 11, 2005 1:00 PM
Subject: RE: [Security400] Seeing all authorities on DSPOBJAUT???


-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Dan
Sent: Friday, November 11, 2005 9:09 AM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Seeing all authorities on DSPOBJAUT???



<*ALLOBJ trumps *PUBLIC *EXCLUDE?

<Seems to be a catch-22 here. Assuming someone here can sign on as a
*secofr
<w/ *ALLOBJ authority, is there an easy way to quickly determine all of
the
<profiles that have *ALLOBJ authority?

Yep.  *ALLOBJ means the user has all object authority to any object on
the system.  Working for a security software vendor I can say there sure
is - buy our products <G>.  As a member of this list I suggest searching
the archives or simply doing a DSPUSRPRF to an outfile and then scan the
file for *ALLOBJ, *SECADM, *AUDIT, *IOSYSCFG and *SERVICE.  Then have
users with profiles containing these authorities justify why they need
them.

<When you talk about "clones of QSECOFR", I presume you are thinking of
<copying the QSECOFR profile to another profile. But isn't the real
clincher
<to this is the new profile assumes the same *ALLOBJ authority that
QSECOFR
<has? Or is there some other property precludes the need for *ALLOBJ
<authority?

A profile that is an exact dulicate of QSECOFR has the ability to
perform virtually any function on the system.  This includes creating,
changing and deleting user profiles as well as any other object on the
system.

_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400) mailing list
To post a message email: Security400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/security400.





As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.