Library
Chris, I think you may have experienced a fairly common situation where the user with *SECADM was the owner of profiles that have *ALLOBJ authority (there are a number of ways that this could come about, but I can only speculate that maybe an adopted authority routine provided the *ALLOBJ). In this case the *SECADM profile would have complete control over any profile that it owned. I've seen this in a number of audit's that we have done (often with JDE), and it really is a dangerous situation. Some times you'll even have the *SECADM profile belong to the group profile that everyone else belongs to... a totally dangerous situation that gives everyone complete authority to use and abuse everyone else's user profile. The key to securing this is to monitor and limit everyone's ability to read ( have *USE authority to) everyone elses user profile. jte MC Security Editor
Chris, I think you may have experienced a fairly common situation where the user with *SECADM was the owner of profiles that have *ALLOBJ authority (there are a number of ways that this could come about, but I can only speculate that maybe an adopted authority routine provided the *ALLOBJ). In this case the *SECADM profile would have complete control over any profile that it owned. I've seen this in a number of audit's that we have done (often with JDE), and it really is a dangerous situation. Some times you'll even have the *SECADM profile belong to the group profile that everyone else belongs to... a totally dangerous situation that gives everyone complete authority to use and abuse everyone else's user profile. The key to securing this is to monitor and limit everyone's ability to read ( have *USE authority to) everyone elses user profile. jte MC Security Editor
Comment