ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvmonitorspecauth.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Monitor special authorities" />
<meta name="abstract" content="This topic describes the SECBATCH menu options and commands used to monitor special authorities." />
<meta name="description" content="This topic describes the SECBATCH menu options and commands used to monitor special authorities." />
<meta name="DC.Relation" scheme="URI" content="rzamvmonitorauth.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvspecialauth.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="monitorspecauth" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Monitor special authorities</title>
</head>
<body id="monitorspecauth"><a name="monitorspecauth"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Monitor special authorities</h1>
<div><p>This topic describes the SECBATCH menu options and commands used
to monitor special authorities.</p>
<p><span class="uicontrol">Special authority</span> is a type of authority a user
can have to perform system functions, including all object authority, save
system authority, job control authority, security administrator authority,
spool control authority, service authority, and system configuration authority.</p>
<p>When users on your system have unnecessary special authorities, your efforts
to develop a good object-authority scheme may be wasted. Object authority
is meaningless when a user profile has *ALLOBJ special authority. A user with
*SPLCTL special authority can see any spooled file on the system, no matter
what efforts you make to secure your output queues. A user with *JOBCTL special
authority can affect system operations and redirect jobs. A user with *SERVICE
special authority may be able to use service tools to access data without
going through the operating system.</p>
<p>Use the following SECBATCH menu options to monitor special authorities: <kbd class="userinput">29</kbd> to
submit the job immediately or <kbd class="userinput">68</kbd> to use the job scheduler.</p>
<div class="p">You can use the Print User Profile (PRTUSRPRF) command to print information
about the special authorities and user classes for user profiles on your system.
When you run the report, you have several options: <ul><li>All user profiles</li>
<li>User profiles with specific special authorities</li>
<li>User profiles that have specific user classes</li>
<li>User profiles with a mismatch between user class and special authorities.</li>
</ul>
</div>
<p>The following figure shows an example of the report that shows the special
authorities for all user profiles:</p>
<div class="fignone"><span class="figcap">Figure 1. User Information Report:
Example 1</span><pre>                       User Profile Information 

Report type . . . . . . . . . : *AUTINFO 
Select by . . . . . . . . . . : *SPCAUT 
Special authorities . . . . . : *ALL 
              -------------Special Authorities------------- 
                           *IO                                                Group 
User    Group    *ALL *AUD SYS *JOB *SAV *SEC *SER *SPL User            Group     Authority Limited
Profile Profiles OBJ  IT   CFG CTL  SYS  ADM  VICE  CTL Class   Owner   Authority Type      Capability
USERA  *NONE     X    X    X   X    X    X    X     X   *SECOFR *USRPRF *NONE     *PRIVATE  *NO 
USERB  *NONE                   X    X                   *PGMR   *USRPRF *NONE     *PRIVATE  *NO 
USERC  *NONE     X    X    X   X    X    X    X     X   *SECOFR *USRPRF *NONE     *PRIVATE  *NO 
USERD  *NONE                                            *USER   *USRPRF *NONE     *PRIVATE  *NO</pre>
</div>
<div class="p">In addition to the special authorities, the report shows the following: <ul><li>Whether the user profile has limited capability.</li>
<li>Whether the user or the user’s group owns new objects that the user creates.</li>
<li>What authority the user’s group automatically receives to new objects
that the user creates.</li>
</ul>
</div>
<div class="p">The following figure shows an example of the report for mismatched special
authorities and user classes. Notice the following: <ul><li>USERX has a system operator (*SYSOPR) user class but has *ALLOBJ and *SPLCTL
special authorities.</li>
<li>USERY has a user (*USER) user class but has *SECADM special authority.</li>
<li>USERZ also has a user (*USER) class and *SECADM special authority. You
can also see that USERZ is a member of the QPGMR group, which has *JOBCTL
and *SAVSYS special authorities.</li>
</ul>
 </div>
<div class="figtopbot"><span class="figcap">Figure 2. User Information Report:
Example 2</span><pre>                      User Profile Information 

Report type . . . . . . . . . : *AUTINFO 
Select by . . . . . . . . . . : *MISMATCH 
              -------------Special Authorities------------- 
                           *IO                                               Group 
User    Group    *ALL *AUD SYS *JOB *SAV *SEC *SER *SPL User            Group     Authority Limited
Profile Profiles OBJ  IT   CFG CTL  SYS  ADM  VICE  CTL Class   Owner   Authority Type      Capability
USERX   *NONE    X             X    X               X   *SYSOPR *USRPRF *NONE     *PRIVATE  *NO
USERY   *NONE                            X              *USER   *USRPRF *NONE     *PRIVATE  *NO
USERZ   *NONE                            X              *USER   *USRPRF *NONE     *PRIVATE  *NO
        QPGMR                  X    X</pre>
</div>
<p>You can run these reports regularly to help you monitor the administration
of user profiles.</p>
<p>For more information, see: <a href="rzamvmonitoruserenviron.htm#monitoruserenviron">Monitor
user environments</a>.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvmonitorauth.htm" title="This topic provides basic suggestions for monitoring the effectiveness of the security safeguards on your system.">Monitor authority</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzamvspecialauth.htm" title="This topic describes special authorities that can be specified for a user.">Special authorities</a></div>
</div>
</div>
</body>
</html>