...
IBM i | Universal Broker for IBM i runs with the UNVUBR510 user profile, which is created at product installation time. Any component started by Universal Broker inherits this user profile. Removing *ALLOBJ Authority from UNVUBR510 User ProfileGiven the extensive authority allowed by *ALLOBJ special authority, it is desirable to avoid its use when possible. As of PTF 0UC0126 for V1R2M1, it is possible to remove *ALLOBJ special authority from the UNVUBR510 user profile. However, by removing *ALLOBJ from the UNVUBR510 user profile, the administrative complexity is increased.
This can be accomplished with the following command:
Removing *SPLCTL Authority from UNVUBR510 User ProfileUse the following command to remove the UNVUBR510 user profile *SPLCTL authority:
Removing *ALLOBJ and *SPLCTL Authorities from UNVUBR510 User ProfileUse the following command to remove all special authority from the UNVUBR510 user profile:
| ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
HP NonStop | Universal Broker itself does not require super.super privileges. For example, Universal Command (UCMD) Server may require super.super authority. Since the component inherits its user ID from the Broker, either the Broker must be running as super.super or the UCMD Server program must be owned by super.super and ProgID must be set for the server program file. | ||||||||||||||||||||
UNIX | Although Universal Broker itself does not require superuser privileges, some Universal Agent server components (for example, UCMD Server and UEM Server) may require superuser authority to switch execution context to another user account, initialize group membership, or perform other privileged operations.
| ||||||||||||||||||||
Windows | The Universal Broker Windows service can be configured to execute with the Local System account or with a specially-configured Administrative account (see Windows Service). | ||||||||||||||||||||
z/OS | The Universal Broker started task may execute with any OMVS user ID provided that account has read access to the BPX.DAEMON, BPX.SUPERUSER, and BPX.JOBNAME resources in the FACILITY class.
|
...