Re: Delete powerful profile that owns everything

If you remove the Sys Admin profile you will need to move all of the objects to
a new user.
Which user will that be? A generic user not associated with an actual human
being?
Why not just lock down the Sys Admin profile by changing the profile as to not
be allowed to signon; or just change the password.
The security issue with the Sys Admin profile seems to be that there was a user
who used it to signon and there is a fear that this user may signon again from
some where.
Are you also concerned about QSECOFR and QSYSOPR?
I would bet that the Sys Admin probably knows / knew how to signon as QSECOFR
and QSYSOPR too. But you will not be deleting these profiles.
I am just saying this in the hopes to save you anguish and headaches.

On October 20, 2014 at 10:29 AM Jim Franz <franz9000@xxxxxxxxx> wrote:


This is more of a discussion than a question.
Auditors are requiring we remove profiles for former employees, and we
recently lost our Sys Admin of ten years... and she owned "almost"
everything.
I already knew it was not a healthy setup, but the question is what form to
change to.
The removal of the profile has the option to reassign the ownership.
There are several package apps and inhouse apps.
The "Q" profiles do not own stuff except where the IBM product has a
profile (like IBM Content Manager). Most of the products do have a
profile.
We can create a profile to install/upgrade and own.
Also finding her profile in products using ftp..
Best practice?
Jim Franz
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Paul Therrien
Andeco Software, LLC
paultherrien@xxxxxxxxxxxxxxxxxx