Rocket iCluster

Hello all

My customer's IT Audit team notices that user profiles ICLUSTER and DMCLUSTER have all special authority (*ALLOBJ , *AUDIT, *IOSYSCFG, *JOBCTL, *SAVSYS, *SECADM, *SERVICE, *SPLCTL)  and asks me if all these are REALLY needed?    From my less-than-a-year experience with iCluster, I'm fairly certain that *SAVSYS, *IOSYSCFG, *SERVICE, *SECADM are not needed but am ready to  be told I'm wrong.    May I ask which special authorities are essentially for these 2 user profiles to work without any hiccup as I need to adjust them for a bare minimum that IT Audit team asks for?        

Thanks. 

Hi again Satid,

The ICLUSTER user profile you mention is not a Rocket iCluster profile, the only user profile created when installing is DMCLUSTER. The DMCLUSTER profile requires a server authentication entry on the primary and backup nodes for the DDM connections used by iCluster. Additionally,  it needs the SECOFR class and associated permissions to be able to replicate user profiles, devices, files etc..

*SAVSYS grants the ability to save, restore and free storage for all objects on the system

*IOSYSCFG allows user to manage communications such as device/controller/line descriptions

*SERVICE allows user to start system service tools including trace functions

*SECADM allows user to create, change and delete user profiles

For iCluster, DMCLUSTER, needs to be a super-user in order to work with all the attributes and functions incorporated in the IBM i system.

Hope this helps.

Hello all

My customer's IT Audit team notices that user profiles ICLUSTER and DMCLUSTER have all special authority (*ALLOBJ , *AUDIT, *IOSYSCFG, *JOBCTL, *SAVSYS, *SECADM, *SERVICE, *SPLCTL)  and asks me if all these are REALLY needed?    From my less-than-a-year experience with iCluster, I'm fairly certain that *SAVSYS, *IOSYSCFG, *SERVICE, *SECADM are not needed but am ready to  be told I'm wrong.    May I ask which special authorities are essentially for these 2 user profiles to work without any hiccup as I need to adjust them for a bare minimum that IT Audit team asks for?        

Thanks. 

Dear Mr. Broadbridge

I thank you for your informative response. I take it from your response that the remaining 4 special authorities are not needed.

Thanks. 

Hi again Satid,

The ICLUSTER user profile you mention is not a Rocket iCluster profile, the only user profile created when installing is DMCLUSTER. The DMCLUSTER profile requires a server authentication entry on the primary and backup nodes for the DDM connections used by iCluster. Additionally,  it needs the SECOFR class and associated permissions to be able to replicate user profiles, devices, files etc..

*SAVSYS grants the ability to save, restore and free storage for all objects on the system

*IOSYSCFG allows user to manage communications such as device/controller/line descriptions

*SERVICE allows user to start system service tools including trace functions

*SECADM allows user to create, change and delete user profiles

For iCluster, DMCLUSTER, needs to be a super-user in order to work with all the attributes and functions incorporated in the IBM i system.

Hope this helps.

Hello all

My customer's IT Audit team notices that user profiles ICLUSTER and DMCLUSTER have all special authority (*ALLOBJ , *AUDIT, *IOSYSCFG, *JOBCTL, *SAVSYS, *SECADM, *SERVICE, *SPLCTL)  and asks me if all these are REALLY needed?    From my less-than-a-year experience with iCluster, I'm fairly certain that *SAVSYS, *IOSYSCFG, *SERVICE, *SECADM are not needed but am ready to  be told I'm wrong.    May I ask which special authorities are essentially for these 2 user profiles to work without any hiccup as I need to adjust them for a bare minimum that IT Audit team asks for?        

Thanks. 

Hi Satid,

Apologies, I think I was unclear, the DMCLUSTER user profile requires all (8) special authorities.

Thanks,

Dear Mr. Broadbridge

I thank you for your informative response. I take it from your response that the remaining 4 special authorities are not needed.

Thanks. 

Hi again Satid,

The ICLUSTER user profile you mention is not a Rocket iCluster profile, the only user profile created when installing is DMCLUSTER. The DMCLUSTER profile requires a server authentication entry on the primary and backup nodes for the DDM connections used by iCluster. Additionally,  it needs the SECOFR class and associated permissions to be able to replicate user profiles, devices, files etc..

*SAVSYS grants the ability to save, restore and free storage for all objects on the system

*IOSYSCFG allows user to manage communications such as device/controller/line descriptions

*SERVICE allows user to start system service tools including trace functions

*SECADM allows user to create, change and delete user profiles

For iCluster, DMCLUSTER, needs to be a super-user in order to work with all the attributes and functions incorporated in the IBM i system.

Hope this helps.

Hello all

My customer's IT Audit team notices that user profiles ICLUSTER and DMCLUSTER have all special authority (*ALLOBJ , *AUDIT, *IOSYSCFG, *JOBCTL, *SAVSYS, *SECADM, *SERVICE, *SPLCTL)  and asks me if all these are REALLY needed?    From my less-than-a-year experience with iCluster, I'm fairly certain that *SAVSYS, *IOSYSCFG, *SERVICE, *SECADM are not needed but am ready to  be told I'm wrong.    May I ask which special authorities are essentially for these 2 user profiles to work without any hiccup as I need to adjust them for a bare minimum that IT Audit team asks for?        

Thanks.