Universal Broker for IBM i runs with the UNVUBR510 user profile, which is created at product installation time. Any component started by Universal Broker inherits this user profile. By default, the UNVUBR510 user profile has *ALLOBJ, *JOBCTL, and *SPLCTL authority. Unless the user profile is modified as described in the following section, *ALLOBJ authority is required for a component to switch its user profiles based on the request it is servicing. *JOBCTL authority is required for internal control and should not be removed. The UNVUBR510 user profile requires *SPLCTL authority to provide Universal Submit Job job logs in specific, limited situations. Any other product or user should not use the UNVUBR510 user profile. By default, users cannot access the system with the UNVUBR510 profile. Removing *ALLOBJ Authority from UNVUBR510 User ProfileGiven the extensive authority allowed by *ALLOBJ special authority, it is desirable to avoid its use when possible. As of PTF 0UC0126 for V1R2M1, it is possible to remove *ALLOBJ special authority from the UNVUBR510 user profile. However, by removing *ALLOBJ from the UNVUBR510 user profile, the administrative complexity is increased. The following steps are required to use Universal Command with *ALLOBJ special authority removed from the UNVUBR510 user profile. 1. If the following objects do not have *USE Public Authority, the UNVUBR510 user profile must be given *USE authority: Html bobswift |
<ul>
<li>
<li>
<li>
<li>
</ul>
This can be accomplished with the following command:
Panel |
---|
<pre>
===> EDTOBJAUT OBJ(QSYS/object_name) OBJTYPE(*PGM)
</pre>
|
|
From the resulting screen, use F6 to add user UNVUBR510 and give it *USE authority. 2. UNVUBR510 user profile must be given *USE authority to the user profile objects of all user profiles that will be using the universal command server on the IBM i. This can be accomplished with the following command:
Panel |
---|
<pre>
===> EDTOBJAUT OBJ(QSYS/user_profile_name) OBJTYPE(*USRPRF)
</pre>
|
|
From the resulting screen, use F6 to add user UNVUBR510 and give it *USE authority. 3. Use the following command to remove the UNVUBR510 user profile *ALLOBJ authority:
Panel |
---|
<pre>
===> CHGUSRPRF USRPRF(UNVUBR510) SPCAUT(*JOBCTL *SPLCTL)
</pre>
|
|
Removing *SPLCTL Authority from UNVUBR510 User ProfileUse the following command to remove the UNVUBR510 user profile *SPLCTL authority:
Panel |
---|
<pre>
===> CHGUSRPRF USRPRF(UNVUBR510) SPCAUT(*JOBCTL *ALLOBJ)
</pre>
|
|
Removing *ALLOBJ and *SPLCTL Authorities from UNVUBR510 User ProfileUse the following command to remove all special authority from the UNVUBR510 user profile:
Panel |
---|
<pre>
===> CHGUSRPRF USRPRF(UNVUBR510) SPCAUT(*JOBCTL)
</pre>
|
|
(Please refer to the previous two sections for additional information.) |