AS/400 access control for commands

30 pts.
Tags:
Access control
AS 400
AS/400
AS/400 Access Paths
AS/400 administration
Some of the system commands are considered to be powerful like, {*USRPRF,*AUTHLR, CHGSYSLIBL, CHGSYSVAL, etc}. 1. Limiting capability does not restrict a user from executing a command. If so how can we restrict the user access to these commands? 2. Is there way to list all users with the access to these commands? Or does it require individually verifying all users?

Software/Hardware used:
Software
ASKED: August 27, 2010  7:24 AM
UPDATED: June 13, 2013  4:31 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    The problem might be that right now you shouldn't have any normal users who have access to those commands. If your users already have sufficient authority to run CHGSYSLIBL for example, then someone has already changed authorities to make the command available or your users have excessive authority, perhaps because they have *ALLOBJ special authority or have access to it through a group profile or other means. The default *PUBLIC authority for CHGSYSLIBL is *EXCLUDE. There shouldn't be anything for you to do. It should already be okay. If command authorities have previously been changed, you should simply set each command back to the default authority. Appendix C of the Security Reference manual lists all commands that ship with *PUBLIC *EXCLUDE default authority. If any of your commands are different, use EDTOBJAUT or GRTOBJAUT to reset the authority. If your users have excessive authority such as *ALLOBJ, then you can't restrict the commands. You need to remove the special authority from the users. Be aware that that will probably cause other things not to work for those users, so you'll need to fix anything that fails by some other method. Unless we know why your users can run troublesome commands, we can't tell you how to fix it. Why do you think there is a problem now? What happens that you think should be fixed? Does it happen for all users or only for certain ones? Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following