Comments on: command restrict http://itknowledgeexchange.techtarget.com/itanswers/command-restrict/ Tue, 21 May 2013 13:34:32 +0000 hourly 1 By: tomliotta http://itknowledgeexchange.techtarget.com/itanswers/command-restrict/#comment-70973 tomliotta Sun, 29 Nov 2009 09:19:04 +0000 #comment-70973 You can indeed exclude programmers from PWRDWNSYS, etc., by object authority. It just isn’t very effective against competent developers. It’s temporary for as long as a developer allows it to be effective. Do you also ensure that developers cannot create message files for production apps? If not, then object authority is probably insufficient. A message file can defeat it. Plenty of other possibilities exist. (Many!)

Now, object authority is still a good idea. It is an excellent assistance for mistake avoidance. For developers, though, a combination of policy and trust is where the effort should be placed.

Tom

]]> By: dand http://itknowledgeexchange.techtarget.com/itanswers/command-restrict/#comment-69549 dand Tue, 27 Oct 2009 17:42:54 +0000 #comment-69549 Object level authority is a perfectly acceptable way to control access to commands. Do you let programmers on your systems have access to PWRDWNSYS or ENDTCPSVR or ENDHOSTSRV commands? We only give programmers read rights to data in their job sphere but they have *JOBCTL so they can use a number of “dangerous” commands if authorized to them.

]]>