In our environment helpdesk cannot list user profiles, which makes it difficult to reset a user's password. Our current system setting is to deny public access. We believe we have a couple of options.
We can make user profiles available to the public. The default setting is to deny public access. If this option is set, the following are available: anyone with *SECADM can view and manage user profiles, anyone without *SECADM can view the user profile at a high-level, but they cannot get the details of what authority is assigned to the profile.
Control points: Production users access systems via menus so they cannot view profiles.
Option twoEstablish a new user profile that can grant the Helpdesk authority view. The Helpdesk requires secadmin to manage profiles, IE set passwords.
Control points: This new profile would have to be assigned to every user account registered on the iSeries. As new users are granted access, security staff would have to assign this new profile to the account before the Helpdesk can administer the account.
Grant Helpdesk all object authority. Granting this authority, the Helpdesk would have access to user profiles and other objects on the iSeries. This is more authority then they would ever need.
I feel option two would be the most secure method, but this option also requires additional user setup.
Are there other solutions to our problem that we may have over looked?
If options two is the best bet, is there a toll that we can use to update all user profiles to permit helpdesk access?
Another solution would be to create a user profile management menu using programs that adopt the authority of a profile with *SECADM and *ALLOBJ authorities and give your help desk users authority to manage user profiles only through this menu and these programs.
Dig deeper on iSeries system and application security
Related Q&A from Scott Ingvaldson
On the AS/400 system, close all sessions in the receiving envrionment when transferring files from one environment to another if the sessions hold ...continue reading
After extending storage capacity on an IBM 520, the system performance depends on the workload amount and should not be affected negatively as long ...continue reading
When encountering problems using the SNDDST command to send a *LMSG on the iSeries, specify a valid SMTP name in the directory entry of the sender to...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.