Planning applications to prevent large profiles
To reduce impacts on the performance and security of your system, you need to plan your applications carefully to avoid large profiles.
Because of the potential impacts on performance and security, perform the following actions to prevent profiles from becoming too full:
- Do not have one profile own everything on your system.
Create special user profiles to own applications. Owner profiles that are specific to an application make it easier to recover applications and to move applications between systems. Also, information about private authorities is spread among several profiles, which improves performance. By using several owner profiles, you can prevent a profile from becoming too large because of owning too many objects. Owner profiles also allow you to adopt the authority of the owner profile rather than a more powerful profile that provides unnecessary authority.
- Avoid having applications owned by IBM-supplied user profiles, such as
QSECOFR or QPGMR.
These profiles own a large number of IBM-supplied objects and can become difficult to manage. Having applications owned by IBM-supplied user profiles can also cause security problems when moving applications from one system to another. Applications owned by IBM-supplied user profiles can also affect performance for commands, such as CHKOBJITG and WRKOBJOWN.
- Use authorization lists to secure objects.
If you are granting private authorities to many objects for several users, you should consider using an authorization list to secure the objects. Authorization lists will cause one private authority entry for the authorization list in the user's profile rather than one private authority entry for each object. In the object owner's profile, authorization lists create an authorized object entry for each user with authority to the authorization list.