Live objects should not generally belong to either an end user profile or the development profiles, but rather, should be owned by a separate shipment profile. The profile may only be used by an administrator who is responsible for taking tested objects from the developers and implementing them into a live system. The shipment profile is not used either for development, or to run the application.
If security is a particular concern—for instance in a financial environment—then objects should be recompiled by the administrator as part of the implementation process. The CA 2E Toolkit Create Object (YCRTOBJ) command may be of use when recompiling many objects. The CA 2E Toolkit Change Object Ownership (YCHGOBJOWN) command may be of use when changing the authorizations of many objects.
It should not be necessary to be signed on as QSECOFR to install or to administer an application. If you are preparing a product for general shipment, you should ensure that the installation procedure does not require QSECOFR rights to run— many sites will not allow programs to be run under QSECOFR. You should, therefore, design an installation procedure with detailed steps.
Before installing, ensure that prior to saving and shipping, all objects are owned by the shipment profile. For example, you would enter the following command for the profile UDFTOWN.
YCHGOBJOWN OBJ(USHP/*ALL) OBJTYPE(*ALL) NEWOWN(UDFTOWN)
To install:
CRTUSRPRF USRPRF(UDFTOWN) PASSWORD(*NONE) + TEXT(‘Widget System Owner profile’)
GRTOBJAUT OBJ(QSYS/CHGDTAARA) OBJTYPE(*CMD) SRPRF(UDFTOWN)
|
Copyright © 2014 CA.
All rights reserved.
|
|