Everyone's aware of the dangers of *ALLOBJ, *SECADM, and *SPLCTL special authorities. But what about the rest? This article discusses the issues you should be aware of when assigning the other special authorities.
By Carol Woodbury
When discussing the concept of "least privilege access" that is, giving users only the authorities necessary to do their jobs it's obvious that only trusted users should be granted *ALLOBJ special authority. It's also obvious that *SECADM, which allows users to create user profiles and modify them when they have *USE authority to the profile, should be given only to the people who need to maintain user profiles. Since *SPLCTL is the *ALLOBJ of spooled files, obviously you only grant that special authority to users who are allowed to see all spooled files on the system. But who should be assigned the rest of the special authorities, and what vulnerabilities might you be causing when assigning these special authorities? Let's take a look.