
	Home > Ask the AS/400 Experts > iSeries Systems Management Questions & Answers > Securing the iSeries Helpdesk

Ask The iSeries 400 Expert: Questions & Answers

EMAIL THIS

Securing the iSeries Helpdesk

EXPERT RESPONSE FROM: Scott Ingvaldson

		Pose a Question

		Other iSeries 400 Categories

		Meet all iSeries 400 Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 31 October 2005
We have run into a stumbling block on iSeries security and the Helpdesk. I would like your opinion and suggestions. Our Helpdesk is responsible for resetting end-user passwords. Authenticating the user before the password is reset, of course.

In our environment helpdesk cannot list user profiles, which makes it difficult to reset a user's password. Our current system setting is to deny public access. We believe we have a couple of options.

Option one

We can make user profiles available to the public. The default setting is to deny public access. If this option is set, the following are available: anyone with *SECADM can view and manage user profiles, anyone without *SECADM can view the user profile at a high-level, but they cannot get the details of what authority is assigned to the profile.

Control points: Production users access systems via menus so they cannot view profiles.

Option two
Establish a new user profile that can grant the Helpdesk authority view. The Helpdesk requires secadmin to manage profiles, IE set passwords.

Control points: This new profile would have to be assigned to every user account registered on the iSeries. As new users are granted access, security staff would have to assign this new profile to the account before the Helpdesk can administer the account.

Option three

Grant Helpdesk all object authority. Granting this authority, the Helpdesk would have access to user profiles and other objects on the iSeries. This is more authority then they would ever need.

I feel option two would be the most secure method, but this option also requires additional user setup.

Are there other solutions to our problem that we may have over looked?

If options two is the best bet, is there a toll that we can use to update all user profiles to permit helpdesk access?

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	iSeries Systems Management
	Transfer files from one environment to another without closing all other AS/400 sessions
	Send a *LMSG successfully on AS/400 using the SNDDST command
	Extend storage capacity on an IBM i without negatively effecting system performance
	Configure the iSeries v5r4 to open the HTTPS port for incoming connections
	Changing system CCSID
	Changing user password expiration
	Detecting system changes made by outside IP address
	HIPER PTF installation and cover letters for SF99097
	Library QUSRSYS not completely installed
	SQL statement history storage

iSeries system and application security

Developing a security incident response system for System i

Setting up security for programmers on IBM i

Blocking AS/400 DB2 users

Trouble accessing IFS path from Win2k3 server

Checking in on your IBM i authorization lists

Strategies for securing IBM i production files

Changing password security levels and upgrading operating systems on the IBM i

Determine the value of parameter UPPWEI in the DSPUSRPRF field

Define journal code value "K"

Modify content within a journal receiver file

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

midrange (Search400.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Option two is definitely your best bet. I would create a group profile for your help desk profiles to belong to. Set all of the help desk user profiles to belong to the group "HELPDESK" and set the "Owner" parameter to *GRPPRF. This will give all group members access to any new profiles created. To give the HELPDESK group access to the already existing profiles you will need to either need to CHGOBJOWN OBJ(PROFILE) OBJTYPE(*USRPRF) NEWOWN(HELPDESK) or GRTOBJAUT OBJ(PROFILE) OBJTYPE(*USRPRF) USER(HELPDESK) AUT(*ALL) You will probably not want to do this to the Q profiles.

Another solution would be to create a user profile management menu using programs that adopt the authority of a profile with *SECADM and *ALLOBJ authorities and give your help desk users authority to manage user profiles only through this menu and these programs.

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

iSeries Networking - Printing, Remote Access, TCP/IP

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 1999 - 2009, TechTarget \| Read our Privacy Policy