Monitor special authorities

This topic describes the SECBATCH menu options and commands used to monitor special authorities.

Special authority is a type of authority a user can have to perform system functions, including all object authority, save system authority, job control authority, security administrator authority, spool control authority, service authority, and system configuration authority.

When users on your system have unnecessary special authorities, your efforts to develop a good object-authority scheme may be wasted. Object authority is meaningless when a user profile has *ALLOBJ special authority. A user with *SPLCTL special authority can see any spooled file on the system, no matter what efforts you make to secure your output queues. A user with *JOBCTL special authority can affect system operations and redirect jobs. A user with *SERVICE special authority may be able to use service tools to access data without going through the operating system.

Use the following SECBATCH menu options to monitor special authorities: 29 to submit the job immediately or 68 to use the job scheduler.

You can use the Print User Profile (PRTUSRPRF) command to print information about the special authorities and user classes for user profiles on your system. When you run the report, you have several options:

All user profiles
User profiles with specific special authorities
User profiles that have specific user classes
User profiles with a mismatch between user class and special authorities.

The following figure shows an example of the report that shows the special authorities for all user profiles:

Figure 1. User Information Report: Example 1

                       User Profile Information 

Report type . . . . . . . . . : *AUTINFO 
Select by . . . . . . . . . . : *SPCAUT 
Special authorities . . . . . : *ALL 
              -------------Special Authorities------------- 
                           *IO                                                Group 
User    Group    *ALL *AUD SYS *JOB *SAV *SEC *SER *SPL User            Group     Authority Limited
Profile Profiles OBJ  IT   CFG CTL  SYS  ADM  VICE  CTL Class   Owner   Authority Type      Capability
USERA  *NONE     X    X    X   X    X    X    X     X   *SECOFR *USRPRF *NONE     *PRIVATE  *NO 
USERB  *NONE                   X    X                   *PGMR   *USRPRF *NONE     *PRIVATE  *NO 
USERC  *NONE     X    X    X   X    X    X    X     X   *SECOFR *USRPRF *NONE     *PRIVATE  *NO 
USERD  *NONE                                            *USER   *USRPRF *NONE     *PRIVATE  *NO

In addition to the special authorities, the report shows the following:

Whether the user profile has limited capability.
Whether the user or the user’s group owns new objects that the user creates.
What authority the user’s group automatically receives to new objects that the user creates.

The following figure shows an example of the report for mismatched special authorities and user classes. Notice the following:

USERX has a system operator (*SYSOPR) user class but has *ALLOBJ and *SPLCTL special authorities.
USERY has a user (*USER) user class but has *SECADM special authority.
USERZ also has a user (*USER) class and *SECADM special authority. You can also see that USERZ is a member of the QPGMR group, which has *JOBCTL and *SAVSYS special authorities.

Figure 2. User Information Report: Example 2

                      User Profile Information 

Report type . . . . . . . . . : *AUTINFO 
Select by . . . . . . . . . . : *MISMATCH 
              -------------Special Authorities------------- 
                           *IO                                               Group 
User    Group    *ALL *AUD SYS *JOB *SAV *SEC *SER *SPL User            Group     Authority Limited
Profile Profiles OBJ  IT   CFG CTL  SYS  ADM  VICE  CTL Class   Owner   Authority Type      Capability
USERX   *NONE    X             X    X               X   *SYSOPR *USRPRF *NONE     *PRIVATE  *NO
USERY   *NONE                            X              *USER   *USRPRF *NONE     *PRIVATE  *NO
USERZ   *NONE                            X              *USER   *USRPRF *NONE     *PRIVATE  *NO
        QPGMR                  X    X

You can run these reports regularly to help you monitor the administration of user profiles.

For more information, see: Monitor user environments.