Unconfigured Ad Widget

Collapse

Announcement

Collapse
No announcement yet.

Removing *ALLOBJ Authority

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Removing *ALLOBJ Authority

    Offhand, I'd DSPUSRPRF TYPE(*BASIC) to an *outfile, then write a CL to read through, check the field UPSPAU for the authority you wish to remove (it's a 150 byte field, so you'll have to substr it), then issue a CHGUSRPRF to change it. Might be a cute way with APIs, but the above should be straight forward. I haven't done it this way, so you might run into issues, but I can't think of any right now. -dan
    Tags: None
  • #2
    Removing *ALLOBJ Authority

    Dave, I have done the above change, and used the exact method Dan describes, and it works very well. The only thing you need to be aware of is that you must compile and execute the CL with a userid that has a high enough level to perform the CHGUSRPRF command. You can also use that concept in a similar fashion to change authority at the individual object level, if need be. Doug.

    Comment

    • #3
      Removing *ALLOBJ Authority

      Dan/Doug, Thx for the advice - I will try this DF

      Comment

      • #4
        Removing *ALLOBJ Authority

        The easiest way for me is PDM. Run WRKOBJPDM QSYS *ALL *USRPRF Create a User Option (F16) for "CRTUSRPRF USRPRF(&N) SPCAUT(*USRCLS)

        Comment

        • #5
          Removing *ALLOBJ Authority

          The only caveat I would add, to using the abouve *OUTFILE technique, is to skip over or avoid the IBM-supplied user profiles, such as QSECOFR, QSYS, and others that may require *ALLOBJ. You may also need to watch out for certain profiles for some vendor products that may adopt authority and may require use of *ALLOBJ. Check with your product vendors for any software products or any applications software packages you may be running before you do this.

          Comment

          • #6
            Removing *ALLOBJ Authority

            I am upgrading one of our systems to level 40 security. Does anybody know of an easy way to "mass remove" special authority choices off of all of of user profiles ? I want to remove *ALLOBJ off of most of our users but there are more than 1000 & removing it user profile by user profile would be a tedious task. thx Dave

            Comment

            • #7
              Removing *ALLOBJ Authority

              The safest way might be to create your own file of user IDs you wish to restrict, then use a SQL to match records with the *OUTFILE to only get the IDs you really want to change. To acomplish part of what Mark is saying, you can skip the IBM ones by skipping any ID that starts with a "Q". (You may have to manually check for Q IDs that are individual IDs if your company allows that.) -dan

              Comment

              Previous template Next
              Working...
              X