|
I don't even buy the *ALLOBJ, John. It seems to me that any automation process - and in the end, that is what an SCM system is: an object distribution automation - ought to follow the exact same security policies as the manual procedures it replaces. In the case of object creation and distribution, the programmer does the initial object creation. My guess is they don't ever need to sign on as QSECOFR or indeed as anything but their own profile to do their job. So that part of the process ought to run under their profile. And I don't think it's too hard to identify the profile to the SCM; that would be part of your standard procedure of setting up a programmer, wouldn't it? I mean, really, how much work is it to grant authority to a user profile?Additionally, there are certain functions that just can't be done without QSECOFR authority ... user profile handle switching, for example. You an do it if you know the user and password you are switching to, but in order to do the handle switch WITHOUT requiring the userid & password, you need QSECOFR authority.
User profile switching requires *USE to the object. Given the
difficulty of creating your own "FRED" profile and making sure it always
has *USE authority to every profile it might ever want to switch to
(including profiles not yet created), giving "FRED" *ALLOBJ seems like a
reasonable compromise. But it is likely also be unnecessary to provide
"FRED" with the other seven Special Authorities.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
