Library

Roger, I need to secure a library from all individuals on the AS/400 except a group of individuals. Make the *PUBLIC authority to the library object *EXCLUDE. Then grant the authorities to the group or individual user profiles to the library object or an authorization list attached to the library object. An authorization list is preferable because you can change authority to the object while the object is in use. I need to secure it from individuals that have all object authority also. You mean *ALLOBJ? Then, no, you cannot secure it from these individuals. Chris

Library

I haven't tried this but what if you Exclude the specific individuals, will this work? Why do you have users that have *ALLOBJ authority?

Library

These are mostly programmers system adm etc. We may change this if it is the only way. Roger

Library

Roger, As a programmer/manager I understand the drive of the programmer to believe that he/she needs *allobj authority. This is a myth, however. With a little bit of review, it is quite easy to give programmers the access they REQUIRE. I suggest utilising the group profile and such to control this. I reccomend that you even remove *allobj authority to your EVERY DAY profile and have a seperate profile for this. You can still have *SECADM, but not have *ALLOBJ authority as well. That way, you can even define a super user who is still limited in access. BTW, MC has a two books for $15.00 each (if they aren't sold out). The AS/400 Power Tips and Techniques and AS/400 Security books are really nice. They have some excellent reasons and examples of setting up security on a machine to keep the user classes happy and out of secure information. -bret

Library

I agree with you. The problem at this point is almost everyone on the system has the allobj authouity. I am trying to get this corrected. But in trying to do it I am concerned that I may cause some applications to blow up if I just wholesale go in and start removing this. Any suggestions? Maybe I need the 2 books. Roger

Library

Bret, You can still have *SECADM, but not have *ALLOBJ authority as well. That way, you can even define a super user who is still limited in access. NOT TRUE! If you give me *SECADM without *ALLOBJ authority, I can easily give myself *ALLOBJ authority if I have *USE authority to any profile with *ALLOBJ authority. You need to be careful with the advice you give to others. And, you need to re-read your MC security book. Chris

Library

Roger, Yes, you should buy the MC security book. If most everyone currently has *ALLOBJ authority, the solution to your problem is most likely "adopted" authority and Wayne Evans does a good job of describing this in the book. Chris

Library

Chris, Has it always been such? I remember distinctly that the Class in Chicago stated you could set up a user like this. I don't doubt you, but is this new, or was I mislead in my youth? -bret

Library

Roger, I worked with JDE for many years. Their group profile for users has *ALLOBJ authority. It took a few weeks of review and another week to implement our security plan. Was it perfect? Nope. Took away CHGJOB and CHGSPLFA from users. The problem was, the 8-5 folks would send spoolfiles to an outq and the evening crew would move them to another outq to print. Without CHGSPLFA they were not able to do so. Had a few quirks but it worked fine after a week. Proper use of the Group Profiles and Authorization Lists make for an excellent security plan. Wayne Evans does a great job in the book (which I will review tonight) and is well worth the original cover price. -bret

Library

Chris, I just created a user called TESTPROFIL. It has *SECADM as it's user class and as special authority without *ALLOBJ. I signed on with it and then called the WRKUSRPRF *all. It showed only: QDBSHR Internal Data Base User Profile QDBSHRDO Internal Data Base User Profile QSPLJOB Internal Spool User Profile QTMPLPD ALLOW REMOTE LPR REQUESTERS TESTPROFIL I/S - Bret Myrick As TESTPROFIL, I attempted to edit the user profile TESTPROFIL. The systen will not allow the profile to modify itself to add Special Authorities. Therefore it cannot give itself the *ALLOBJ authority. Your serve! -bret This is the CHGUSRPRF using option 2: Change User User . . . . . . . . . : TESTPROFIL Type choices below, then press Enter. User description . . . . I/S - Bret Myrick Password . . . . . . . . *SAME Characters Type of user . . . . . . *SECADM Type, F4 for list User group . . . . . . . *NONE Name, F4 for list Restrict command line use N Y=Yes, N=No Default library . . . . . BRET Name Default printer . . . . . *WRKSTN Name, *WRKSTN, F4 for list Sign on program . . . . . *NONE Name, *NONE Library . . . . . . . . Name First menu . . . . . . . BBM Name Library . . . . . . . . BRET Name More... F1=Help F3=Exit F5=Refresh F12=Cancel *** SECOND PAGE *** Change User User . . . . . . . . . : TESTPROFIL Type choices below, then press Enter. Attention key program . . *SYSVAL Name, *SYSVAL, *ASSIST, *NONE Library . . . . . . . . Name Bottom F1=Help F3=Exit F5=Refresh F12=Cancel

Library

I haven't tried this but what if you Exclude the specific individuals, will this work? I have several userids, and I have *EXCLUDE(d) myself from specific objects (files mainly) during testing. I know for a FACT that it prevented me from updating a file that my group profile was authorized to *ALL. I don't recall if this userid had *ALLOBJ authority or not, and I cannot verify that since I have just quit that job. My point is *EXCLUDE to individual user profiles does override their group accesses. It's worth a try.

Library

Susan & Roger, *ALLOBJ is the first thing checked. If you have it you can do it. David Morris

Library

Hi David, I think what Susan was hinting at was having *ALLOBJ special authority coming from your group profile - this way the authority lookup process eventually will grant you *ALLOBJ authority - unless it finds a private authority of *EXCLUDE ending the lookup process prior to the group authority check. *ALLOBJ by means of group profile is a bit tricky (f.x. some security related commands does not respect group derived authority), but in general it allows you to grant a user profile *ALLOBJ and yet at the same time be able to restrict it from specific objects. Best regards, Carsten Flensburg

Library

>I need to secure a library from all individuals on the AS/400 except a group of individuals. I need to secure it from individuals that have all object authority also. <<

It is not possible to secure anything on a system from a user that has *ALLOBJ special authority. A user with *ALLOBJ can quickly assume the identity of QSECOFR (or any of a number of system profiles) and walk around any security fence you put up. *ALLOBJ authority means "*ALL Object Authority". jte MC Security Editor