This article describes the SECBATCH menu options and security commands that you can use to monitor public authority to objects.
Public authority is the authority for an object granted to all users.
For both simplicity and performance, most systems are set up so that most objects are available to most users. Users are explicitly denied access to certain confidential, security-sensitive objects rather than having to be explicitly authorized to use every object. A few systems with high security requirements take the opposite approach and authorize objects on a need-to-know basis. On those systems, most objects are created with the public authority set to *EXCLUDE.
This is an object-based system with many different types of objects. Most object types do not contain sensitive information or perform security-relevant functions. As a security administrator on a system with typical security needs, you probably want to focus your attention on objects that require protection, such as database files and programs. For other object types, you can just set public authority that is sufficient for your applications, which for most object types is *USE authority.
You can use the Print Public Authority (PRTPUBAUT) command to print information about objects that public users can access. (A public user is anyone with signon authority who does not have explicit authority to an object.) When you use the PRTPUBAUT command, you can specify the object types, and libraries or directories, that you want to examine.
You can use options 11 or 50 on the SECBATCH menu to print the Publicly Authorized Objects report for the object types that might have security implications. Use the general options (18 and 57) to specify the object type. You can print the changed version of this report regularly to see what objects might require your attention.
For more information, see: Monitor special authorities.