Audit - *ALLOBJ user rights

[AlanW-GT]

We are auditing a client who is running their ERP application on AS/400.

While reviewing the AS/400 user list, we noticed that nearly all of the individuals who were assigned to the *USER class had been granted the special authority of *ALLOBJ; Users provided with this special authority are allowed to access any object on the AS/400 system (IBM strongly recommends not assigning special authorities to individuals in the *USER class).

The client states that the *ALLOBJ special authority is needed for a group profile (QUIZUSER) to run jobs from the custom menu option. The client had previously removed the *ALLOBJ special authority from this group profile and users were not able to run the custom report jobs.

Does anyone have an idea of how the client can have users run custom report jobs without being granted the *ALLOBJ special authority?

Any suggestions would be appreciated.

 

[jean_driscoll]

Are you talking about World or OneWorld (EnterpriseOne)? Either way, the *users do not need the *ALLOBJ special authority. I would guess that someone has setup object authority and then did not know how to implement authority adoption in order to follow through. I'll attach a couple of documents. First read the one on Setting up World security on the iSEries. Even if you are using OneWorld, this document is the basis. Then the second document adds to that document. You can find information on securing the AS/400 for World/OneWorld in Customer Connect also.

 

[jean_driscoll]

another attachment

 

[AlanW-GT]

Thank you Jean,

Your help in this topic is greatly appreciated. As auditors, we often rely on the expertise of people like you to help our clients.