Dear Mr. Broadbridge
I see. I will inform the IT Audit officer accordingly.
Original Message:
Sent: 02-22-2024 06:40
From: don broadbridge
Subject: Which special authoroty is REALLY needed for ICLUSTER and DMCLUSTER profiles?
Hi Satid,
Apologies, I think I was unclear, the DMCLUSTER user profile requires all (8) special authorities.
Thanks,
------------------------------
don broadbridge
Principal Consultant
Rocket Internal - All Brands
Denver CO US
Original Message:
Sent: 02-22-2024 06:36
From: Satid Singkorapoom
Subject: Which special authoroty is REALLY needed for ICLUSTER and DMCLUSTER profiles?
Dear Mr. Broadbridge
I thank you for your informative response. I take it from your response that the remaining 4 special authorities are not needed.
Thanks.
------------------------------
Satid Singkorapoom
IBM i SME
Rocket Forum Shared Account
Original Message:
Sent: 02-21-2024 07:29
From: don broadbridge
Subject: Which special authoroty is REALLY needed for ICLUSTER and DMCLUSTER profiles?
Hi again Satid,
The ICLUSTER user profile you mention is not a Rocket iCluster profile, the only user profile created when installing is DMCLUSTER. The DMCLUSTER profile requires a server authentication entry on the primary and backup nodes for the DDM connections used by iCluster. Additionally, it needs the SECOFR class and associated permissions to be able to replicate user profiles, devices, files etc..
*SAVSYS grants the ability to save, restore and free storage for all objects on the system
*IOSYSCFG allows user to manage communications such as device/controller/line descriptions
*SERVICE allows user to start system service tools including trace functions
*SECADM allows user to create, change and delete user profiles
For iCluster, DMCLUSTER, needs to be a super-user in order to work with all the attributes and functions incorporated in the IBM i system.
Hope this helps.
------------------------------
don broadbridge
Principal Consultant
Rocket Internal - All Brands
Denver CO US
Original Message:
Sent: 02-21-2024 06:45
From: Satid Singkorapoom
Subject: Which special authoroty is REALLY needed for ICLUSTER and DMCLUSTER profiles?
Hello all
My customer's IT Audit team notices that user profiles ICLUSTER and DMCLUSTER have all special authority (*ALLOBJ , *AUDIT, *IOSYSCFG, *JOBCTL, *SAVSYS, *SECADM, *SERVICE, *SPLCTL) and asks me if all these are REALLY needed? From my less-than-a-year experience with iCluster, I'm fairly certain that *SAVSYS, *IOSYSCFG, *SERVICE, *SECADM are not needed but am ready to be told I'm wrong. May I ask which special authorities are essentially for these 2 user profiles to work without any hiccup as I need to adjust them for a bare minimum that IT Audit team asks for?
Thanks.
------------------------------
Satid Singkorapoom
IBM i SME
Rocket Forum Shared Account
------------------------------