In our environment helpdesk cannot list user profiles, which makes it difficult to reset a user's password. Our current system setting is to deny public access. We believe we have a couple of options.
We can make user profiles available to the public. The default setting is to deny public access. If this option is set, the following are available: anyone with *SECADM can view and manage user profiles, anyone without *SECADM can view the user profile at a high-level, but they cannot get the details of what authority is assigned to the profile.
Control points: Production users access systems via menus so they cannot view profiles.
Option twoEstablish a new user profile that can grant the Helpdesk authority view. The Helpdesk requires secadmin to manage profiles, IE set passwords.
Control points: This new profile would have to be assigned to every user account registered on the iSeries. As new users are granted access, security staff would have to assign this new profile to the account before the Helpdesk can administer the account.
Grant Helpdesk all object authority. Granting this authority, the Helpdesk would have access to user profiles and other objects on the iSeries. This is more authority then they would ever need.
I feel option two would be the most secure method, but this option also requires additional user setup.
Are there other solutions to our problem that we may have over looked?
If options two is the best bet, is there a toll that we can use to update all user profiles to permit helpdesk access?
Another solution would be to create a user profile management menu using programs that adopt the authority of a profile with *SECADM and *ALLOBJ authorities and give your help desk users authority to manage user profiles only through this menu and these programs.
This was first published in October 2005