ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

Production library authority

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Production library authority

    As a result of a recent audit, we are required to restrict programmer access to our production machine so we only have read rights to the production librarys. To do this our manager has removed *ALLOBJ rights from our user profile(s) on the production box. Removing *ALLOBJ does not appear to prevent adding new objects to the production library. I assume removing ALLOBJ only prevents deleting, changing existing items that we do not own. So, to prevent adding new objects to the production library, what additional authority restrictions are necessary, I assume this would be removing ADD rights to the library, right? If not, how to go about this?

  • #2
    Your programmers had *ALLOBJ access in production!? :-O
    This is a big topic and there just isn't a simple answer however you will need to review your profles along with the object level security on your system.

    The removal of *ALLOBJ is however a must as that special authority basically stops the system from performing authority checks on an object. It's very powerful and should be highly restricted so good to hear you have done that for the programmers. Hopefully it's not present on too many other profiles.

    You mention that the programmers should only have read authority - the removal of *ALLOBJ may not be sufficient for that, what is the authority on the library and objects? In order to access an object, the profile needs authority to the object and the library it is contained in. The level of authority will determine what they can do. If a file for instance has *USE authority, that would allow them to read the file contents but not to add/change/delete records. If it has *CHANGE authority, they will be able to add/change/delete records. That isn't ready only access. What is the authority on the objects on your system and also on newly created objects?

    The authority on the objects themselves is one part, the other part is at the user profile level. A profile could be granted authority by means of group/supplemental group profiles, adopted authority, object ownership, authorisation lists etc. Can the programmers get more than read access by one of these means?

    The best source of information is the security reference manual. It has the authority checking flowcharts in it which show you what steps the system performs to determine if an operation on an object is allowed. The appendices also list the authorities required to perform an operation such as CRTPF along with the authorities required to perform an operation on an object.

    Comment

    Working...
    X