You might want to evaluate the security
effectiveness of large user profiles on your system. User profiles with large
numbers of authorities, appearing to be randomly spread over most of the system,
can reflect a lack of security planning.
Here is one method for locating large user profiles and evaluating
them.
- Use
the Display Object Description (DSPOBJD) command to create an output file
containing information about all the user profiles on the system:
DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) +
DETAIL(*BASIC) OUTPUT(*OUTFILE)
- Create a query program to list the name and size of each user profile,
in descending sequence by size.
- Print detailed information about the largest user profiles and
evaluate the authorities and owned objects to see if they are appropriate:
DSPUSRPRF USRPRF(user-profile-name) +
TYPE(*OBJAUT) OUTPUT(*PRINT)
DSPUSRPRF USRPRF(user-profile-name) +
TYPE(*OBJOWN) OUTPUT(*PRINT)
Note: Directories and directory-based
objects are not printed. WRKOBJOWN and WRKOBJPVT commands can be used to display
directory-based objects and library-based objects, but there is no print function
associated with these commands.
Some IBM-supplied user profiles are
very large because of the number of objects they own. Listing and analyzing
them is not necessary. However, you should check for programs adopting the
authority of the IBM-supplied user profiles that have *ALLOBJ special authority,
such as QSECOFR and QSYS. See Analyzing programs that adopt authority.