|
Now, if instead of the user having *ALLOBJ, you've given *ALLOBJ to
the
group profile the user belongs to, then you could explicitly deny the user access to the object; since the users individual permissions are check before his group profile permissions.
That is a mere technical slight of hand - and I wouldn't recommend it. If you deny me access to an object, but permit me access to the *ALLOBJ capability, I can use the *ALLOBJ capability in any number of ways to get past the object restriction. Here is the easiest way... Where I am user JETST - a regular *USER with no special authority, but JETST belongs to group JEGRP. And JEGRP has *ALLOBJ authority And JOHNE is also a *ALLOBJ user User JETST submits the following command... SBMJOB CMD(GRTOBJAUT OBJ(QGPL/QDDSSRC) OBJTYPE(*FILE) USER(JETST) AUT(*ALL)) USER(JOHNE). End result, user JETST has *ALL authority to QGPL/QDDSSRC because JETST has the authority to *USE profile JOHNE (he got that authority from the *ALLOBJ in his group), and because user JOHNE has the authority to change the files authorities. jte
This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
