Is there a way to prevent a user with *ALLOBJ authority from using a specific command? For example, if a *PGMR or *SECOFR user profile with *ALLOBJ authority needs to be prevented from using a specific command. I've tried excluding the user profile within the Object authority directly and via an authorisation list, but the only way I can stop the CLRPFM working is by revoking *ALLOBJ special authority on the user profile. The only alternative I can see is to revoke *ALLOBJ, and go through each QSYS command and grant access via an AUTL.

The manner in which the system checks authority in 5250 display emulation is that it looks to see if the user has *ALLOBJ authrity first. Since your user does have *ALLOBJ authority, he/she is allowed to run the command. You will have to take away the *ALLOBJ speical authority if you ever want to limit the access. It can be very painful removing this authority because of the many things they have always been accessing with full authority. Now you will look like the bad guy when they cannot perform functions but how are you to know every little thing they touch on the system. My advice is to have AF security audit reporting ready to go. When they complain needing access you can run the audit report to see exactly what the object name is. Also, in the job log of the user it will specifically say "Not Authorized" to the object. Good luck. Scott