Assigning users only the capabilities sufficient to perform their job functions is a requirement of several laws and regulations (including PCI Data Security Standards). In addition, it makes good business sense to allow users only the capabilities that they need.
Here are the capabilities (special authorities) that we can grant users and the functions they provide:
Special Authorities and Their Functions
*AUDIT Configuration of i5/OS auditing attributes
*IOSYSCFG Communications configuration and management
*JOBCTL Management of a job on the system
*SAVSYS Ability to save and restore the entire system or any object on the system, regardless of authority to the object
*SECADM Create/change/delete user profiles
*SERVICE Ability to use Service Tools, perform a service trace, debug another user's job
*SPLCTL Access to every spooled file on the system regardless of authority to the outq (the "*ALLOBJ" of spooled files)
*ALLOBJ Access to every object on the system. It is impossible to prevent an *ALLOBJ user from accessing an object!
Monday, March 3, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment