Q: Is there any reason why a user with *ALLOBJ special authority is not authorized to sign on to a specific device? Shouldn't *ALLOBJ special authority override the authority for a device description (*DEVD)?
A: Your system value to limit security officer device access (QLMTSECOFR) is probably set to '1' (explicit device access required). It limits users with *ALLOBJ or *SERVICE special authority to only those devices for which they have specific authority. It's the one exception to authority checking I know of that is bypassed when a user has the *ALLOBJ special authority value.
You must either change system value QLMTSECOFR to '0' (explicit device access not needed) or grant the users in question the device authority needed. (A user needs *CHANGE authority to sign on.)