Wednesday, 17 October 2012

Pop quiz

If you are on an AS/400 and want to secure and directory or library from a particular user that has *ALLOBJ authority, can you do it?

….

You have a 50/50 chance on this one.

The correct answer - NO

http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/rzarl/rzarlallobjsa.htm

*ALLOBJ special authority

All-object (*ALLOBJ) special authority allows the user to access any resource on the system whether private authority exists for the user.

Even if the user has *EXCLUDE authority to an object, *ALLOBJ special authority still allows the user to access the object.

Risks: *ALLOBJ special authority gives the user extensive authority over all resources on the system. The user can view, change, or delete any object. The user can also grant to other users the authority to use objects.

A user with *ALLOBJ authority cannot directly perform operations that require another special authority. For example, *ALLOBJ special authority does not allow a user to create another user profile, because creating user profiles requires *SECADM special authority. However, a user with *ALLOBJ special authority can submit a batch job to run using a profile that has the needed special authority. Giving *ALLOBJ special authority essentially gives a user access to all functions on the system.

 

Let me know if you got that right!

No comments:

Extending JDE to generative AI