Monitoring user profiles and authorities
Prevent or restrict users from installing their own programs. No program should be installed on the system without the approval of the security administrator.
When users on your system have unnecessary special authorities, your efforts to develop a good object-authority security scheme may be wasted. Object authority is meaningless when a user profile has *ALLOBJ special authority. A user with *SPLCTL special authority can see any spooled file on the system, no matter what efforts you make to secure your output queues. A user with *JOBCTL special authority can affect system operations and redirect jobs. A user with *SERVICE special authority may be able to use service tools to access data without going through the operating system.
- All user profiles
- User profiles with specific special authorities
- User profiles that have specific user classes
- User profiles with a mismatch between user class and special authorities.
You can run these reports regularly to help you monitor the administration of user profiles.