Reputation: 119
Read only permissions on AS400
I want to create user who is going to see all the user profile and group profiles but should not having access to changes or delete any thing on AS400 machine.
To achieve this i have created User having following permissions-
User class - *SECADM
Special Authority - *ALLOBJ, *SECADM.
By creating this type of user can we achieve only read-only access for this. IBMi version - V7R1 and V7R2
My main requirement is to create a user having very minimum permissions means who can only read data from IBMi machine and do not have capability to change any thing.
If any one is having any idea about this please share.
Upvotes: 2
Views: 3106
Answers (2)
Reputation: 68
Possibly, depending on the object too. If they don't have object authority to the object, they can't access it. You would have to GRTOBJAUT.
Upvotes: 0
Reputation: 11473
*ALLOBJ is a very powerful special authority on IBM i and allows a user to change or delete nearly everything on IBM i.
From the IBM i Security manual (v7.3):
Risks: *ALLOBJ special authority gives the user extensive authority over all resources on the system. The user can view, change, or delete any object. The user can also grant to other users the authority to use objects.
*SECADM is a very specific special authority on IBM i, it allows a user to create, change, and delete user profiles. Probably not something you want a regular user to be able to do. Should be tightly controlled.
User classes are mostly meaningless any more as it only controls menu access. Menu based authorities were useful back in the day when the AS400 was typically a standalone system or networked only with other AS400's.
Note: I use AS400 here as it was the name of the whole system (hardware and OS) back in the day, current naming on new hardware is complex, but IBM i is the name of the OS previously known as OS/400
One way to solve your problem, as user2338816 indicated in his comments, is to create a CL program MYGETUSER that contains a single command DSPUSRPRF or RTVUSRPRF depending on what you want to do with the information. If you want all the user profile info displayed on the screen by the command, use DSPUSRPRF. If you want to retrieve specific user profile attributes to the calling program, use RTVUSRPRF. Your CL program MYGETUSER needs to be compiled with USRPRF(*OWNER) and it must be owned by a user profile that has *READ authority to all the user profiles you want to be able to display. You may be able to collect these user profiles in an authorization list to avoid having to assign private authorities to everything. Now you can assign *USE authority to the CL program MYGETUSER for any user that has the need to view user profiles, or the user profile attributes surfaced by your CL program.
Notes: Be sure to assign only the bare minimum authorities to the owner of your CL program to get the information you need, and only give access to that program to the users that need it.
Upvotes: 1
Related Questions
- Java / Hibernate - Write operations are not allowed in read-only mode
- Session or device error occurred in file AS400/IBM i
- create/remove row permission in IBM i (as400) SQL
- Read Only Role Permission in Magento Admin Panel
- Access not permitted. You are not authorized to perform this operation (AMQ4036)
- SQL Server Read Only Permissions
- How to create view db2/iseries with not default permissions?
- unable to toggle read-only mode in emacs
- Writing to a read-only accessor c#
- Oracle TOAD in read-only mode