1.  Home
  2. MIDRANGE-L
  3. June 2004

RE: Locking out USRPRF with *ALLOBJ

I'll throw in my 2¢.  When consolidating multiple applications on a single
system I have had to deal with persons used to having *ALLOBJ authority.
What I have done is given all of the application objects a single owner,
then you can give an application admin "virtual *ALLOBJ" by making them a
member of the owner profile.  They have all authority to their own objects,
while you can still keep them out of system objects or other applications.
If set up correctly they can even administer their own user profiles without
seeing any that don't belong to them.

Regards, 

Scott Ingvaldson
iSeries System Administrator
GuideOne Insurance Group 

-----Original Message-----
date: Tue, 22 Jun 2004 15:37:39 -0400
from: "Buck Calabro" <buck.calabro@xxxxxxxxxxxx>
subject: Re: Locking out USRPRF with *ALLOBJ

> Is there a way to lock a USRPRF that has
> ALLOBJ authority out of a specific
> library and/or command?

As you've undoubtedly been told, you can't give someone the master key
to the building and then have a particular lock which doesn't allow
use of the master key.  For whatever reason, computer OS folks have
not adopted this particular real-world model.

A workaround is to create a different user profile which is explicitly
authorised to all the objects in the system (not via *ALLOBJ) -
perhaps an *AUTL.  Revoke that user from the command you want to
secure.  I don't think there is an easy, one-step method to do this.

As a footnote, no one should ever use a *ALLOBJ profile for any daily
work whatsoever.  All too often, that person creates object which
lesser profiles can not access, and it gradually becomes easier to
give everyone *ALLOBJ than to change the authority on the
mis-authorised objects.  If one goes that route, one may as well not
bother with authority.
  --buck
   
This message and accompanying documents are covered by the Electronic
Communications Privacy Act, 18 U.S.C. §§ 2510-2521, and contains information
intended for the specified individual(s) only. This information is
confidential. If you are not the intended recipient or an agent responsible
for delivering it to the intended recipient, you are hereby notified that
you have received this document in error and that any review, dissemination,
copying, or the taking of any action based on the contents of this
information is strictly prohibited. If you have received this communication
in error, please notify us immediately by e-mail, and delete the original
message.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.