Tweet
Somehow or another. *ALLOBJ authority is being given to users via a third party program. I have a client that needs to secure OUTQ's so that only select users have access to the spool files within. They save the SPLF's so that they can search for particular things without having to flip thru pages of output. The source is not available to change the grant object authority, I have tried authorization lists, changing the OUTQ to *owner, changing authority to the WRKOUTQ command, all with no adequate results. Please Help.
-
-
How can I secure an OUTQ?
Why don't you have the client contact the software vendor and demand that this problem be resolved? I can't believe a reputable vendor would sell software that opened up so many security issues as this one seems to. This is not the kind of problem that should be fixed by the end user or their ocnsultant. This should be resolved at the source. Otherwise you're just treating the sympton, and not the disease. Gee...can I think of any more platitudes to share? -
How can I secure an OUTQ?
Shannon, I think that you have sufficiently beat that dead horse. JComment
-
How can I secure an OUTQ?
Shannon, I think that you have sufficiently beat that dead horse. J HA!Comment
-
How can I secure an OUTQ?
Because of that *ALLOBJ change, I don't think you can use object security. Though Shannon's been accused of beating a dead horse, I also agree most strongly with him! If a vendor's software keeps assigning *ALLOBJ authority to every user, then someone needs to get to the bottom of it, not work around it. What's the point of being at that level of security? Your client is vulnerable to all kinds of mischief, especially if users are connected to the AS/400(s) via the network and have access to the objects there via their PC applications. And, if they're open to the Internet in any way, then hackers can get to things they wouldn't ordinarily be able to get, if security were not being compromised. Does this keep happening (i.e., *ALLOBJ is removed, and it "comes back")? Can you remove those authorities and have them stay gone? I don't think ANY vendor software should be allowed to play around with the user profiles, by the way. Something's really wrong there. Once you resolve the issues with this vendor, and AS/400 security is allowed to operate as it was intended, then you'll be able to secure those output queues. By the way, is your client aware that those spooled files will be lost if the disk crashes? If they keep them for reference, wouldn't it be better to convert them to database files, which are then backed up and restoreable? Good luck! Try to let us know what happens in the end. That's something I wish happened more in discussions when there is a problem being addressed. I, for one, could learn a lot more if I knew how it was ultimately resolved.Comment
Comment