Troubleshooting
Problem
This document provides information on how to prevent someone with *ALLOBJ authority from touching an object.
Resolving The Problem
Some users have *ALLOBJ special authority. Is it possible to restrict them from a few highly sensitive objects?
Answer:
*ALLOBJ authority literally means All object. A user with *ALLOBJ special authority in the user profile cannot be prevented from touching any object. However, this does not mean that it is not possible to get the result desired.
To grant someone authority to all objects except some from which the user needs to be excluded, do not grant the user *ALLOBJ special authority in the profile. Instead assign the user profile to a group profile. Suppose the user is Oscar. In the following example, we are creating a group profile called Felix and are giving Felix *ALLOBJ special authority. Next, we will assign Felix as the group profile for Oscar. Finally, we explain how to keep Oscar from touching certain objects. On the IBM® OS/400® command line, type the following:
CRTUSRPRF USRPRF(FELIX) USRCLS(*USER) SPCAUT(*ALLOBJ)
In this case, we get an error message: CPI2224, User class and special authorities do not match system supplied values. This is because the user class is *USER, while we are granting a special authority of *ALLOBJ. Because, in this hypothetical example, we do not want to add other special authorities to Felix, we can ignore the error message.
To make Felix the group profile for Oscar, on the OS/400 command line type the following:
CHGUSRPRF USRPRF(OSCAR) GRPPRF(FELIX)
Finally, we need to deal with those objects we do not want Oscar to touch. Suppose one of them were a library named MYLIB. We can grant a private authority of *EXCLUDE to Oscar for MYLIB:
GRTOBJAUT OBJ(MYLIB) OBJTYPE(*LIB) USER(OSCAR) AUT(*EXCLUDE)
When a user profile has a specific, private authority of *EXCLUDE to an object, that private authority supersedes the *ALLOBJ authority of the group profile. If there is no private authority for the user, the user has full authority to the object based on the *ALLOBJ special authority in the group profile.
Answer:
*ALLOBJ authority literally means All object. A user with *ALLOBJ special authority in the user profile cannot be prevented from touching any object. However, this does not mean that it is not possible to get the result desired.
To grant someone authority to all objects except some from which the user needs to be excluded, do not grant the user *ALLOBJ special authority in the profile. Instead assign the user profile to a group profile. Suppose the user is Oscar. In the following example, we are creating a group profile called Felix and are giving Felix *ALLOBJ special authority. Next, we will assign Felix as the group profile for Oscar. Finally, we explain how to keep Oscar from touching certain objects. On the IBM® OS/400® command line, type the following:
CRTUSRPRF USRPRF(FELIX) USRCLS(*USER) SPCAUT(*ALLOBJ)
In this case, we get an error message: CPI2224, User class and special authorities do not match system supplied values. This is because the user class is *USER, while we are granting a special authority of *ALLOBJ. Because, in this hypothetical example, we do not want to add other special authorities to Felix, we can ignore the error message.
To make Felix the group profile for Oscar, on the OS/400 command line type the following:
CHGUSRPRF USRPRF(OSCAR) GRPPRF(FELIX)
Finally, we need to deal with those objects we do not want Oscar to touch. Suppose one of them were a library named MYLIB. We can grant a private authority of *EXCLUDE to Oscar for MYLIB:
GRTOBJAUT OBJ(MYLIB) OBJTYPE(*LIB) USER(OSCAR) AUT(*EXCLUDE)
When a user profile has a specific, private authority of *EXCLUDE to an object, that private authority supersedes the *ALLOBJ authority of the group profile. If there is no private authority for the user, the user has full authority to the object based on the *ALLOBJ special authority in the group profile.
| Warning: This is not a recommended practice. The following command allows the user to schedule jobs under profiles that have *ALLOBJ special authority, like QSECOFR. ADDJOBSCDE JOB(CHANGE) CMD(XXX) FRQ(*ONCE) USER(QSECOFR) |
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Historical Number
8001641
Was this topic helpful?
Document Information
Modified date:
08 October 2024
UID
nas8N1010251