Expert Answer Center > Experts On Demand > View Answer
EMAIL THIS
Experts on Demand
  EXPERTS ON DEMAND HOME     POSE A QUESTION     VIEW ANSWERS     BROWSE BY TOPIC        RSS FEEDS  
There are cases where my administrators need *ALLOBJ special authority, but I don't want them to have it all of the time. So I added *ALLOBJ to their group profile and have then granted the administrators *EXCLUDE to the commands I don't want them to run. One of those commands is CRTUSRPRF, but they seem to still be able to create user profiles -- how can this be? I thought the user was checked before the group. QUESTION POSED ON: 03 MAY 2006
QUESTION ANSWERED BY: Carol Woodbury You are correct that the user profile authorities are checked before the group profile's authorities. So, in most cases, the administrators would be blocked. But they are probably getting around your restrictions by submitting a job to run as a profile that isn't restricted from running the CRTUSRPRF command -- like yours, perhaps. I prefer writing utilities that adopt authority and perform the tasks requiring *ALLOBJ rather than giving a group profile *ALLOBJ and trying to block or restrict access. There are always new functions to consider with each new release and many ways exist to simply bypass the roadblock you're trying to put up.
HomeExperts on DemandIT Expert Webcast SeriesExpert KnowledgebaseSite Index
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts