We have run into a stumbling block on iSeries security and the Helpdesk. I would like your opinion and suggestions. Our Helpdesk is responsible for resetting end-user passwords. Authenticating the user before the password is reset, of course.

In our environment helpdesk cannot list user profiles, which makes it difficult to reset a user's password. Our current system setting is to deny public access. We believe we have a couple of options.

Option one

We can make user profiles available to the public. The default setting is to deny public access. If this option is set, the following are available: anyone with *SECADM can view and manage user profiles, anyone without *SECADM can view the user profile at a high-level, but they cannot get the details of what authority is assigned to the profile.

Control points: Production users access systems via menus so they cannot view profiles.

Option two

Establish a new user profile that can grant the Helpdesk authority view. The Helpdesk requires secadmin to manage profiles, IE set passwords.

Control points: This new profile would have to be assigned to every user account registered on the iSeries. As new users are granted access, security staff would have to assign this new profile to the account before the Helpdesk can administer the account.

Option three

Grant Helpdesk all object authority. Granting this authority, the Helpdesk would have access to user profiles and other objects on the iSeries. This is more authority then they would ever need.

I feel option two would be the most secure method, but this option also requires additional user setup.

Are there other solutions to our problem that we may have over looked?

If options two is the best bet, is there a toll that we can use to update all user profiles to permit helpdesk access?

Option two is definitely your best bet. I would create a group profile for your help desk profiles to belong to. Set all of the help desk user profiles to belong to the group "HELPDESK" and set the "Owner" parameter to *GRPPRF. This will give all group members access to any new profiles created. To give the HELPDESK group access to the already existing profiles you will need to either need to CHGOBJOWN OBJ(PROFILE) OBJTYPE(*USRPRF) NEWOWN(HELPDESK) or GRTOBJAUT OBJ(PROFILE) OBJTYPE(*USRPRF) USER(HELPDESK) AUT(*ALL) You will probably not want to do this to the Q profiles.

Another solution would be to create a user profile management menu using programs that adopt the authority of a profile with *SECADM and *ALLOBJ authorities and give your help desk users authority to manage user profiles only through this menu and these programs.

This was first published in October 2005

Back to top