I do not have any QOTH* user profiles. However, I do not use Lansa, etc.
Granted, if often grinds us to have products requiring a user profile with
*ALLOBJ to do certain things. It's not right that packages have to do
that sometimes, it should only be us that sometimes have to do that. :-)
Perhaps they feel that it's important that their products just "work".
Now, if you want to remove *ALLOBJ from them and then ensure that you add
their owning user profile to all of the correct authorization list,
groups, command security, etc, necessary then you could probably do so. By
the time you're done it may boil down to you might as well have given them
*SECADM is a different animal. I would probably search through their
document as to their statement of why they need *SECADM. It should be a
FAQ on their website. In that same vein, perhaps a statement of need for
*ALLOBJ isn't out of the question. Hey, if it's a documented need then
that satisfies SOX, right?
It would be nice to have some level of trust with these packages, but
after having one package that had a program with QSECOFR adopted authority
to find out it was a one line CL program that just had CALL QCMD (gets a
command line) so that raw users could do stuff when on the phone with
their support without having to deal with the users pesky security
officers, you get leery of trust.
This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact