Tweet
Is there a simple way to restrict a user with command line access (Which they need) from displaying certain menus. We changed the authority on a menu to *PUBLIC *EXCLUDE but they can still go into the menu and access the options. I thought *EXCLUDE would prevent them from using the object but I guess that isn't the case. Is there any way to prevent certain users from accessing the menu's so we don't have to lock down every option on every menu? This will at least buy us some time to come up with a more permanent solution. Thank you, Jim Quinlan Clearwater, FL
-
-
Restricting Menu Access
Jim, The user may have private authority to the menu. Granting a user private *EXCLUDE authority to a *MENU object will prevent that user from displaying that menu unless they have *ALLOBJ special authority or unless they have found a command line somewhere that is letting them use adopted authority. In my opinion propagating adopted authority to a command line is a security bug that should be fixed. If an IBM product is doing this please write us an APAR. An AP audit record will be written to the QAUDJRN each time adopted authority is used if *PGMADP auditing is turned on. Ed Fishel -
Restricting Menu Access
Ed, I did more investigation and there is an initial program that is called that adopts authority. That is why I wasn't able to restrict menu access. It adopts *QPGMR authority which seems pretty dangerous to me. Thanks for the response, JimComment
Comment