On 11/11/05, Gary Monnier <gary.monnier@xxxxxxxxxxxxx> wrote: > > Yep. *ALLOBJ means the user has all object authority to any object on > the system. Working for a security software vendor I can say there sure > is - buy our products <G>. As a member of this list I suggest searching > the archives or simply doing a DSPUSRPRF to an outfile and then scan the > file for *ALLOBJ, *SECADM, *AUDIT, *IOSYSCFG and *SERVICE. Then have > users with profiles containing these authorities justify why they need > them. Well, I should clarify that we haven't made any determination yet whether anyone (other than our security officer, of course) even has these authorities, but like I mentioned earlier, we were trying to narrow our search for the possibilities. <When you talk about "clones of QSECOFR", I presume you are thinking of > <copying the QSECOFR profile to another profile. But isn't the real > clincher > <to this is the new profile assumes the same *ALLOBJ authority that > QSECOFR > <has? Or is there some other property precludes the need for *ALLOBJ > <authority? > > A profile that is an exact dulicate of QSECOFR has the ability to > perform virtually any function on the system. This includes creating, > changing and deleting user profiles as well as any other object on the > system. And an exact duplicate of QSECOFR also has *ALLOBJ authority, which is the thing that makes it dangerous in the wrong hands, correct? In response to Jim's post: This is good to know. I kinda feel better that no one that is in the office today can even *get* to that menu, since this leads me to the implication that our security officer has done things right. But I guess we'll have to wait until Monday now to know for certain. Thanks guys! - Dan
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.