|
midrange.com
I recently removed *ALLOBJ from a group of people here. Seems they have
this EDI process (of which they informed me I originally wrote it years
ago). This EDI process takes a save file full of files and restores them
to QTEMP. This allows the files to be empty, with the logicals pointed
right, and in QTEMP. If they try to submit a run 'on-the-fly' versus
using the scheduled method (which runs a lot of stuff they don't want for
this interrupted recovery), then they will get an error CPF3757. Seems
that the files are owned by a particular user of which they do not have
access to. According to the CPF3757 I either grant them add authority to
that user profile, or I give them *SAVSYS special authority.
The concern I have with *SAVSYS is that I believe that they could save
sensitive data and restore it to a system of which they have higher
authority. (Physically possible without leaving their desk.)
I want to make sure that if I give them the authority they need to the
user profile owning the objects that they do not adopt any of the special
authority given to that user profile. We had a fiasco here in which these
people were given that profile as a supplemental group and lo and behold
they now had all special authority that the group profile had, including
*ALLOBJ.
What, exactly, does CPF3757 mean by add authority?
Pro's and con's either way?
Please change subject if you respond to anything below this line.
I know that we violated a few things here, but we are trying to clean them
up. Like group profiles should not run jobs. For example EDIONR may be a
valid group profile. But the scheduled jobs should run under something
else, like EDIJOB.
CHGUSRPRF USRPRF(EDIONR)
PASSWORD(*none)
USRCLS(*USER)
INLMNU(*SIGNOFF)
LMTCPB(*YES)
SPCAUT(*NONE)
GRPPRF(*NONE)
OWNER(*USRPRF)
CHGUSRPRF USRPRF(EDIJOB)
PASSWORD(*none)
USRCLS(*USER)
INLMNU(*SIGNOFF)
LMTCPB(*YES)
SPCAUT(minimal amount needed)
GRPPRF(EDIONR)
OWNER(*GRPPRF)
Rob Berendt
--
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
Benjamin Franklin
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
