Monitoring special authorities
Special authority is a type of authority a user can have to perform system functions, including all object authority, save system authority, job control authority, security administrator authority, spool control authority, service authority, and system configuration authority. SECBATCH menu options and commands are used to monitor special authorities.
When users on your system have unnecessary special authorities, your efforts to develop a good object-authority scheme may be wasted. Object authority is meaningless when a user profile has *ALLOBJ special authority. A user with *SPLCTL special authority can see any spooled file on the system, no matter what efforts you make to secure your output queues. A user with *JOBCTL special authority can affect system operations and redirect jobs. A user with *SERVICE special authority may be able to use service tools to access data without going through the operating system.
Use the following SECBATCH menu options to monitor special authorities: 29 to submit the job immediately or 68 to use the job scheduler.
- All user profiles
- User profiles with specific special authorities
- User profiles that have specific user classes
- User profiles with a mismatch between user class and special authorities.
An example of the report that shows the special authorities for all user profiles:
- Whether the user profile has limited capability.
- Whether the user or the user’s group owns new objects that the user creates.
- What authority the user’s group automatically receives to new objects that the user creates.
- USERX has a system operator (*SYSOPR) user class but has *ALLOBJ and *SPLCTL special authorities.
- USERY has a user (*USER) user class but has *SECADM special authority.
- USERZ also has a user (*USER) class and *SECADM special authority. You can also see that USERZ is a member of the QPGMR group, which has *JOBCTL and *SAVSYS special authorities.
You can run these reports regularly to help you monitor the administration of user profiles.