Object authority settings
Last Post 25 Nov 2012 01:53 PM by John Severinsen. 6 Replies.
AddThis - Bookmarking and Sharing Button Printer Friendly
  •  
  •  
  •  
  •  
  •  
Sort:
PrevPrev NextNext
You are not authorized to post a reply.
Author Messages
Anil M Nair
New Member
New Member
Posts:53

--
22 Nov 2012 05:44 AM

We are trying to restrict the access to a certain library (QA data) so that only selected users can access. We had tried to change the authority using the edit authority option by setting *EXCLUDE for PUBLIC and adding a specific user with the access. But it seems all the users can still access the library and even modify the authority settings also. The authorisation list option was also tried with no postitve results. Couple of questions:-

1. Does the user need to have *SECOFR rights for setting the access?

2. All the users (including the one who is setting the access) are normal users with *PGMR access and belonging to a common group profile. Is this a problem?

3. Any other ways of restricting access without involving the admin guys? :)

 

Note:-  Tried re-setting the object owner from the group to an individual profile with negative results.. Any help is appreciated.

 

Ringer
Veteran Member
Veteran Member
Posts:1747
Avatar

--
22 Nov 2012 08:12 AM
What is your QSECLVL system value?

Are the users getting to that library via a program that adopts authority?

Chris Ringer
Rusdy Heriyanto
New Member
New Member
Posts:8

--
22 Nov 2012 08:55 AM

Anil, may be you can try organizing with object ownership.

First, you may need a that can be used as objects (in some cases called application) owner.

Then set/change the objects' owner to that .

From this point the can control the access authority to the objects. But of course, you still cannot

prevent a user that has all object authority.

Rusdy

Rusdy Heriyanto
New Member
New Member
Posts:8

--
22 Nov 2012 08:59 AM
Sorry, a 'userid' has gone from the paragraph. It supposed to be like this:

First, you may need a that can be used as objects (in some cases called application) owner.

Then set/change the objects' owner to that .

From this point the can control the access authority to the objects. But of course, you still cannot

prevent a user that has all object authority.

Rusdy

John Severinsen
Advanced Member
Advanced Member
Posts:487
Avatar

--
22 Nov 2012 02:31 PM
First, to clear up some confusion you are having. You are confused by a persons user class and their special authority. *PGMR (and also *SECOFR) is a user class and has no bearing on a users authority levels. This comes from the users special authority (e.g. *JOBCTL, *ALLOBJ etc). In relation to object authority, *ALLOBJ is what you should be looking out for.

In order to help, we need more information from you about your authority setup.
You mention that users are "normal" users with *PGMR access. As mentioned, this is a user class so has no relevance to accessing an object on the system. Check your users special authority and advise us what they are.
From what you are describing, I would hazard a guess they have *ALLOBJ authority. If that's the case, there is nothing you can do to secure the library and the users authority levels on your system should be looked at pronto.

FYI, you don't need "*SECOFR rights" to change object authorities, you simply need enough authority to the object to do so. These rights come from a mixture of the authority on the object, your profiles special authority and any group profiles special authority.  If you don't have enough authority, you will receive an error when you try and change it.
Anil M Nair
New Member
New Member
Posts:53

--
22 Nov 2012 11:18 PM

Thank you every one for the reponses.

John, your guess was absolutely right. All the users are having *ALLOBJ authority and I believe it is the problem.

 

 

John Severinsen
Advanced Member
Advanced Member
Posts:487
Avatar

--
25 Nov 2012 01:53 PM
Posted By Anil M Nair on 23 Nov 2012 12:18 AM

[snip] All the users are having *ALLOBJ authority and I believe it is the problem.

Someone really ought to look at your user setup and system authority.  This is a very powerful god like authority to have and I'm surprised it passes any form of audit.  Not only does it effectively turn off object authority checking so your users can change/delete etc any file on the system, a programmer can use this authority to become QSECOFR and do anything they like.  I can't stress enough how bad this is...

 

You are not authorized to post a reply.

Acceptable Use Policy