friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6290434003
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvmonitorspecauth.htm

116 lines
7.2 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Monitor special authorities" />
<meta name="abstract" content="This topic describes the SECBATCH menu options and commands used to monitor special authorities." />
<meta name="description" content="This topic describes the SECBATCH menu options and commands used to monitor special authorities." />
<meta name="DC.Relation" scheme="URI" content="rzamvmonitorauth.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvspecialauth.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="monitorspecauth" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Monitor special authorities</title>
</head>
<body id="monitorspecauth"><a name="monitorspecauth"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Monitor special authorities</h1>
<div><p>This topic describes the SECBATCH menu options and commands used
to monitor special authorities.</p>
<p><span class="uicontrol">Special authority</span> is a type of authority a user
can have to perform system functions, including all object authority, save
system authority, job control authority, security administrator authority,
spool control authority, service authority, and system configuration authority.</p>
<p>When users on your system have unnecessary special authorities, your efforts
to develop a good object-authority scheme may be wasted. Object authority
is meaningless when a user profile has *ALLOBJ special authority. A user with
*SPLCTL special authority can see any spooled file on the system, no matter
what efforts you make to secure your output queues. A user with *JOBCTL special
authority can affect system operations and redirect jobs. A user with *SERVICE
special authority may be able to use service tools to access data without
going through the operating system.</p>
<p>Use the following SECBATCH menu options to monitor special authorities: <kbd class="userinput">29</kbd> to
submit the job immediately or <kbd class="userinput">68</kbd> to use the job scheduler.</p>
<div class="p">You can use the Print User Profile (PRTUSRPRF) command to print information
about the special authorities and user classes for user profiles on your system.
When you run the report, you have several options: <ul><li>All user profiles</li>
<li>User profiles with specific special authorities</li>
<li>User profiles that have specific user classes</li>
<li>User profiles with a mismatch between user class and special authorities.</li>
</ul>
</div>
<p>The following figure shows an example of the report that shows the special
authorities for all user profiles:</p>
<div class="fignone"><span class="figcap">Figure 1. User Information Report:
Example 1</span><pre> User Profile Information
Report type . . . . . . . . . : *AUTINFO
Select by . . . . . . . . . . : *SPCAUT
Special authorities . . . . . : *ALL
-------------Special Authorities-------------
*IO Group
User Group *ALL *AUD SYS *JOB *SAV *SEC *SER *SPL User Group Authority Limited
Profile Profiles OBJ IT CFG CTL SYS ADM VICE CTL Class Owner Authority Type Capability
USERA *NONE X X X X X X X X *SECOFR *USRPRF *NONE *PRIVATE *NO
USERB *NONE X X *PGMR *USRPRF *NONE *PRIVATE *NO
USERC *NONE X X X X X X X X *SECOFR *USRPRF *NONE *PRIVATE *NO
USERD *NONE *USER *USRPRF *NONE *PRIVATE *NO</pre>
</div>
<div class="p">In addition to the special authorities, the report shows the following: <ul><li>Whether the user profile has limited capability.</li>
<li>Whether the user or the users group owns new objects that the user creates.</li>
<li>What authority the users group automatically receives to new objects
that the user creates.</li>
</ul>
</div>
<div class="p">The following figure shows an example of the report for mismatched special
authorities and user classes. Notice the following: <ul><li>USERX has a system operator (*SYSOPR) user class but has *ALLOBJ and *SPLCTL
special authorities.</li>
<li>USERY has a user (*USER) user class but has *SECADM special authority.</li>
<li>USERZ also has a user (*USER) class and *SECADM special authority. You
can also see that USERZ is a member of the QPGMR group, which has *JOBCTL
and *SAVSYS special authorities.</li>
</ul>
</div>
<div class="figtopbot"><span class="figcap">Figure 2. User Information Report:
Example 2</span><pre> User Profile Information
Report type . . . . . . . . . : *AUTINFO
Select by . . . . . . . . . . : *MISMATCH
-------------Special Authorities-------------
*IO Group
User Group *ALL *AUD SYS *JOB *SAV *SEC *SER *SPL User Group Authority Limited
Profile Profiles OBJ IT CFG CTL SYS ADM VICE CTL Class Owner Authority Type Capability
USERX *NONE X X X X *SYSOPR *USRPRF *NONE *PRIVATE *NO
USERY *NONE X *USER *USRPRF *NONE *PRIVATE *NO
USERZ *NONE X *USER *USRPRF *NONE *PRIVATE *NO
QPGMR X X</pre>
</div>
<p>You can run these reports regularly to help you monitor the administration
of user profiles.</p>
<p>For more information, see: <a href="rzamvmonitoruserenviron.htm#monitoruserenviron">Monitor
user environments</a>.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvmonitorauth.htm" title="This topic provides basic suggestions for monitoring the effectiveness of the security safeguards on your system.">Monitor authority</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzamvspecialauth.htm" title="This topic describes special authorities that can be specified for a user.">Special authorities</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink