Re: Seeing all authorities on DSPOBJAUT???

On 11/11/05, Gary Monnier <gary.monnier@xxxxxxxxxxxxx> wrote:
>
> Yep. *ALLOBJ means the user has all object authority to any object on
> the system. Working for a security software vendor I can say there sure
> is - buy our products <G>. As a member of this list I suggest searching
> the archives or simply doing a DSPUSRPRF to an outfile and then scan the
> file for *ALLOBJ, *SECADM, *AUDIT, *IOSYSCFG and *SERVICE. Then have
> users with profiles containing these authorities justify why they need
> them.


Well, I should clarify that we haven't made any determination yet whether
anyone (other than our security officer, of course) even has these
authorities, but like I mentioned earlier, we were trying to narrow our
search for the possibilities.

<When you talk about "clones of QSECOFR", I presume you are thinking of
> <copying the QSECOFR profile to another profile. But isn't the real
> clincher
> <to this is the new profile assumes the same *ALLOBJ authority that
> QSECOFR
> <has? Or is there some other property precludes the need for *ALLOBJ
> <authority?
>
> A profile that is an exact dulicate of QSECOFR has the ability to
> perform virtually any function on the system. This includes creating,
> changing and deleting user profiles as well as any other object on the
> system.


And an exact duplicate of QSECOFR also has *ALLOBJ authority, which is the
thing that makes it dangerous in the wrong hands, correct?

In response to Jim's post: This is good to know. I kinda feel better that no
one that is in the office today can even *get* to that menu, since this
leads me to the implication that our security officer has done things right.
But I guess we'll have to wait until Monday now to know for certain.

Thanks guys!
- Dan