DLTOBJ command restricted
in our concern we have restricted the command dltobj? also no user shld not delete any object without confirmation mail from secadmin?but some users delete the objects using the option 4/ how can we find that object and the user who deleted that object?
Software/Hardware used:
Software/Hardware used:
ASKED:
September 19, 2011 12:12 PM
UPDATED:
March 31, 2012 4:03 PM
Answer Wiki:
If you are doing system level journaling. Then you have to check system journal receiver entries via outfile.
Syed
To see all answers submitted to the Answer Wiki: View Answer History.
How are you restricting user? Is it at command level?
DLTOBJ command looks like TAATOOL command.
When you are restricting the user from DLTOBJ, When user takes option ’4′ the corresponding Command will be DLTF(for file), DLTPGM(for Program), You will need to restrict the user from using all these commands.
Are you restricting the user without using these commands also?
Pradeep.
With jounaling you would be able to find out who did it, but you would not be able to easily restore the data since the the journal would only contain a single entry that the file was deleted. You would have to RSTOBJ from a backup and then use the Journal to apply all the changes that were done since that backup.
Now, regarding restricting a user from deleting an object.
You can use standard AS400 Authority to do this.
My questions are:
What users are working from a cmd line? and what are they doing?
What types of files/objects are they deleting?
There are many different ways to control this, but without having more knowledge of the problem and the business logic to give users use of a command line, it would be useless to give more suggestions.
Point of clarification: When you say users, I am assuming you do not mean develoeprs.
DLTOBJ is a i 7.1 command from IBM. It was provided as a generic command to handle many kinds of objects. However, each object has a specific command that works on that kind of object. Further, many objects can be deleted using the IFS form with the DEL command or using Qshell and the rm utility (or using other shells). Objects may even be deleted using Windows Explorer without actually entering any commands at all.
The only real way to stop users from deleting files is to remove their authority to delete the files. Use resource security to set your rules. Then your users can run DLTOBJ as often as they want, but those files won’t be deleted.
If users have the authority to delete an object, then securing a command won’t protect that object. It just adds more work for administrators.
Tom
Tom, I seem to remember that command on the S/38, and a right nuisance it was too. It was replaced with the various object-specific delete commands as it was a bit too indiscriminate for most developers.