Limiting user profiles

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries Security Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions Authorize a specific user to select files in a separate library Allow a user to view a library prod without granting full access to all data iSeries system and application security Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Yes, there is a way to have all profiles default to *PUBLIC *CHANGE but you really don't want to do that. Users with *USE (or greater) to a profile can use that profile to submit a job or swap to the profile. In other words, changing the *PUBLIC authority of profiles is opening up the opportunity for other users to masquerade as another user. Here are a couple ideas that don't open up security exposures. One – provide a menu for your helpdesk and one of the options is to create a user profile. This menu option is a program that processes the CRTUSRPRF command, and then changes the ownership of the profile to an "OWNER" profile. The program needs to be configured to adopt OWNER's authority. Another option is to configure all helpdesk personnel's profiles to belong to a group and have their newly created objects be owned by the group. This way, all user profiles (and anything else they create) will be owned by the group. This is a less secure implementation, however, and I much prefer the first option.

==================================
MORE INFORMATION ON THIS TOPIC
==================================

The Best Web Links: tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Check out this Search400.com Featured Topic: Top ten security tips

Visit the ITKnowledge Exchange and get answers to your security questions fast.