RVKOBJ/GRTOBJ *exclude with *allobj
Susan, Why do you think they called it "all object" authority? It's not a misnomer... Chris
Susan, Why do you think they called it "all object" authority? It's not a misnomer... Chris
>Without *CHANGE authority, it would be impossible for an operator to restore your objects from a backup, should those objects become damaged, or if you otherwise needed to replace your objects with a restored version.<<Please do not do not take this personal, but that statement is not correct. If someone only has *CHANGE authority they cannot save or restore someone else's objects. A user will need *OBJEXIST authority to an object to save or restore it or they will need *SAVSYS special authority. (They can get the *OBJEXIST authority in several ways, one of which is if they have *ALLOBJ authority.) If the objective is to give an operator authority to save and restore objects then the operator should be given *SAVSYS special authority. This allows then to do the save and restore operations but does not allow then to delete the object, or change the data in the object (by using interfaces like EDTF or STRSEU).
>There are legitimate purposes for *ALLOBJ authority.<<I agree, but someone who is only an operator should probably never be given *ALLOBJ special authority. Ed Fishel OS/400 Security, IBM Rochester
Comment