My first thought/question is why a given user has *ALLOBJ special authority when you don't want them to have access to objects on the system. It might be easier to find a way to eliminate the need for this special authority.
Operations Navigator Application Administration does provide the ability to customize what a user see on the Navigator interface but, as mentioned in <a href="http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rzaj3/rzaj3security.htm">this Information Center article</a> this does not limit access to the underlying obects, it just limits the interfaces to the objects that the user sees.
There are many exit points that can be used to restrict access to objects. The i5/OS servers that support Navigator provide exit program capability so that you could deny requests based on the *USRPRF. But before trying to intercept every possible request from these *ALLOBJ users I would, as mentioned before, first find out why they have *ALLOBJ in the first place and find a method by which we can give them a more appropriate set of object rights.
Integrated solutions for the System i user community
Last Wiki Answer Submitted: March 5, 2008 11:20 am by bvining6,055 pts.