Home > Blogs > Steve Pitcher › Locking Down QSYSOPR From IBM i Users Who Have *ALLOBJ Authority

Steve Pitcher › Locking Down QSYSOPR From IBM i Users Who Have *ALLOBJ Authority

November 9th, 2012
A few months ago I posed the following question on Twitter: how do you restrict delete rights on the QSYSOPR message queue for an IBM i user with *ALLOBJ special authority?

I had a few responses ranging from:

  • Take *ALLOBJ special authority away from the user and restrict rights for that user on the message queue.  That's easier said than done but a perfect example why programmers or operators shouldn't have *ALLOBJ special authority. 
  • Create a never ending program that allocates the message queue so that nobody can remove any messages while the program job is running. 
  • Nothing.  You can't do anything about that. 

While at IBM Rochester this week I offhandedly threw that problem out there.

Laural Schneckloth Bauer, one of the fantastic people from IBM Lab Services whom I've been working with, mentioned that the easiest and most unobtrusive method of restricting rights would be to:

  • Create an IBM i Group Profile with *ALLOBJ authority
  • Add the user to that Group Profile
  • Explicitly restrict delete rights on the QSYSOPR message queue for that user.  

That user still maintains *ALLOBJ authority to everything except for objects you explicitly specify.  Neat huh?





Read the original at Steve Pitcher.

Categories: Blogs Tags:
Comments are closed.
css.php