AS/400 Command Line and Special Authorities

100 pts.
Tags:
*ALLOBJ
AS/400
Command line
  1. Let's say command XYZ has PUBLIC set to *EXCLUDE. If I have access to command line and not *ALLOBJ, I cannot access that command, right? If I have *ALLOBJ or belong to the authorization list, then I can launch it?
  2. Second question: if a user have full access to command line (Limit cap = *NO), but does not have *ALLOBJ or *SECADM, can that user still create profiles or change security? What can that user do with the command line that would be risky?
  3. Third question: a lot of people argue usually on this: if the user only has *SECADM and not *ALLOBJ, that user cannot create profiles or modify security. I don't agree, but I wanna make sure I obtain the right answer.
0

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • azohawk
    For part of this, I am going to copy my answer from another question that I just responded to:

    I used to have a book that in a couple of pages clearly outlined the checks used for authority checking. I don't recall all of the exact steps in the middle, but it went something like this:
    1. Does the user have *allobj? if yes, they get in.
    2. Does the object explicitly grant authority to the object? if yes, and the granted authority permits the user to do what they are trying to do. permission granted
    3. Check if the user has group authority
    4. Check authorization list.
    5. *Public authority is the final check.

    (I think that there was one more check, but I don't recall it off hand and I may have 3 and 4 reversed--but you get the idea).

    Of course if they don't have authority to the library, I don't think that can be bypassed at the object level.

    Seldom should anyone outside of I.T. have *allobj. and that should be limited to administrators of the system.
    -----
    (added comments)
    The exception to this would be an object that (normally a program) that has "use adopted authority" set to owner, than the owner's authority will take precedent.
    2. To change/create profiles other than your own, you must have *secadm or create a program that the owner has authority to *secadm and use adopted authority to run that program.
    3. *secadm (security administrator) is the only authority required.
    4,055 pointsBadges:
    report
  • aldc123
    Hi man!
    Thanks a lot for your answers. Could you give more details for Question part (1)?

    Thanks in advance!
    100 pointsBadges:
    report
  • aldc123
    Can you please explain then why IBM says that it requires SECADM and *ALLOBJ, and not only *SECADM: https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_61/rzarl/rzarlallobjsa.htm?
    100 pointsBadges:
    report
  • TheRealRaven
    @aldc123 : It would be very hard to explain why IBM says that because that is not what IBM says at that link. It only says that *ALLOBJ is not sufficient to create user profiles and that *SECADM is required to create user profiles. It does not say that both special authorities are required.

    Having only *SECADM gives you authority only to user profiles that you have created, not to profiles created by another *SECADM user. But if you also have *ALLOBJ, you gain authority over all user profiles. You also gain the capability to grant *SECADM to user profiles that you create.

    A department manager might be given *SECADM. That would allow that manager to create user profiles for employees within that department, but there would be no authority over users working in other departments.
    36,320 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: