Cleaning up the house...
This post is, of course, too late, but I am enough of an egotist to ignore that. If you have a system where everyone is *SECOFR and/or enjoys *ALLOBJ, save the system and all security information, kick QSECLVL down to 20. Change all users to USRCLS(*USER) SPCAUT(*USRCLS). Strip all special authorities out of the libraries and objects. Change QCRTAUT to *USE or *EXCLUDE as appropirate, change all IBM provided libraries (specially QSYS) so that CRTAUT is *CHANGE, change all other libraries so that CRTAUT is *SYSVAL. Identify your applications, the libraries used by the applications. Identify or create a group profile to own the application. Change object ownership for each application/application libraries to the appropirate group profile. Add the user profiles to the appropriate group. MINIMIZE job descriptions, MINIMIZE profiles that DO NOT have a group profile (DSPAUTUSR). MINIMIZE authorization lists. When you think you are done, on a weekend with one application group, change QSECLVL to 30 and test. Kick back down to 20. Repeat for each application. When everyone signs off that their application works under SECLVL 30 (test EVERYTHING, printing, file transfer, remote commands, etc. etc.), kick it back up to 30, and make a private commitment to yourself to NEVER TAKE this kind of a THANKLESS JOB again.
This post is, of course, too late, but I am enough of an egotist to ignore that. If you have a system where everyone is *SECOFR and/or enjoys *ALLOBJ, save the system and all security information, kick QSECLVL down to 20. Change all users to USRCLS(*USER) SPCAUT(*USRCLS). Strip all special authorities out of the libraries and objects. Change QCRTAUT to *USE or *EXCLUDE as appropirate, change all IBM provided libraries (specially QSYS) so that CRTAUT is *CHANGE, change all other libraries so that CRTAUT is *SYSVAL. Identify your applications, the libraries used by the applications. Identify or create a group profile to own the application. Change object ownership for each application/application libraries to the appropirate group profile. Add the user profiles to the appropriate group. MINIMIZE job descriptions, MINIMIZE profiles that DO NOT have a group profile (DSPAUTUSR). MINIMIZE authorization lists. When you think you are done, on a weekend with one application group, change QSECLVL to 30 and test. Kick back down to 20. Repeat for each application. When everyone signs off that their application works under SECLVL 30 (test EVERYTHING, printing, file transfer, remote commands, etc. etc.), kick it back up to 30, and make a private commitment to yourself to NEVER TAKE this kind of a THANKLESS JOB again.
Comment