Comments on: DLTOBJ command restricted

By: The Most-Watched IT Questions: October 4, 2011 - ITKE Community Blog

The Most-Watched IT Questions: October 4, 2011 - ITKE Community Blog — Tue, 04 Oct 2011 06:55:32 +0000

[...] 7. Abiha6325, Deepu9321, CharlieBrowne, TomLiotta, and Splat discuss a member’s policy of restricting the DLTOBJ command. [...]

By: splat

splat — Wed, 21 Sep 2011 14:38:58 +0000

Tom, I seem to remember that command on the S/38, and a right nuisance it was too. It was replaced with the various object-specific delete commands as it was a bit too indiscriminate for most developers.

By: tomliotta

tomliotta — Tue, 20 Sep 2011 00:54:05 +0000

DLTOBJ is a i 7.1 command from IBM. It was provided as a generic command to handle many kinds of objects. However, each object has a specific command that works on that kind of object. Further, many objects can be deleted using the IFS form with the DEL command or using Qshell and the rm utility (or using other shells). Objects may even be deleted using Windows Explorer without actually entering any commands at all.

The only real way to stop users from deleting files is to remove their authority to delete the files. Use resource security to set your rules. Then your users can run DLTOBJ as often as they want, but those files won’t be deleted.

If users have the authority to delete an object, then securing a command won’t protect that object. It just adds more work for administrators.

Tom

By: charliebrowne

charliebrowne — Mon, 19 Sep 2011 16:14:04 +0000

With jounaling you would be able to find out who did it, but you would not be able to easily restore the data since the the journal would only contain a single entry that the file was deleted. You would have to RSTOBJ from a backup and then use the Journal to apply all the changes that were done since that backup.

Now, regarding restricting a user from deleting an object.
You can use standard AS400 Authority to do this.
My questions are:
What users are working from a cmd line? and what are they doing?
What types of files/objects are they deleting?
There are many different ways to control this, but without having more knowledge of the problem and the business logic to give users use of a command line, it would be useless to give more suggestions.
Point of clarification: When you say users, I am assuming you do not mean develoeprs.

By: deepu9321

deepu9321 — Mon, 19 Sep 2011 13:15:06 +0000

How are you restricting user? Is it at command level?
DLTOBJ command looks like TAATOOL command.
When you are restricting the user from DLTOBJ, When user takes option ’4′ the corresponding Command will be DLTF(for file), DLTPGM(for Program), You will need to restrict the user from using all these commands.
Are you restricting the user without using these commands also?

Pradeep.