Home > AS/400 Tips > iSeries security tips > More on using group profiles for easier security administration
iSeries 400 Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

ISERIES SECURITY TIPS

More on using group profiles for easier security administration


Michael Mayer
10.15.2002
Rating: -1.82- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


In a previous tip by Rich Loeber, Use group profiles for easier security admin, Rich provides excellent advice for managing ID's/groups of ID via group profile.

Once this has been setup, authority to objects, no matter what type, should be done via authority lists.

An authority list is created via the CRTAUTL command with good text and authority set to *Exclude.

The next step is to add the groups into the authority lists. The level of authority can be adjusted based on use. You can set a group to *use an object, have *all authority to an object, etc. This will vary based on the shop and object(s).

The object can then be secured via the authority list.

This type of object management is easy especially if you're adding/deleting associates to your system on a regular basis.

For example, we check for users who haven't logged on for 90 days on the first of every month. All of our users are parts of various groups. When they are deleted off of the system, I don't have to worry about removing individual authority, if any. At the same time, when I add a user and they are modeled off of an associate in a particular group, I don't have to worry about providing authority. The group profile/supplemental profile (if applicable) takes care of this via the authority list.

Another issue, in the event of a crash, group authority via authority lists is restored to the system. Individual authority is not. It can be restored if you are doing a SAVSECDTA on a weekly basis as we do. If individual authority has to be restored, the RSTAUT / RSTUSRPRF commands can be used from the SAVSECDTA tape.

Rich makes a very good point that when using group profiles, the password should be set to *none. We take this a step further for auditing purposes. We also set these group profiles to expired *yes along with initial program to *none and initial menu to *signoff. That may be a bit much but it makes our auditors comfortable.

==================================
MORE INFORMATION ON THIS TOPIC
==================================

The Best Web Links: Tips, tutorials and more.

Search400.com's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Read this Search400.com Featured Topic: Secure your iSeries


Rate this Tip
To rate tips, you must be a member of Search400.com.
Register now to start rating these tips. Log in if you are already a member.


Submit a Tip




Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
iSeries security tips
Security considerations for IBM i backups
Developing a security incident response system for System i
Tracking remote access users on System i
Setting up security for programmers on IBM i
Controlling remote access on your IBM i
Checking in on your IBM i authorization lists
PCI data security standards and the System i
Securing the integrated file system on IBM System i
Contextual security on IBM i: Limit user profile access
Time for a security checkup for your i

Systems Management
Can you trust all those trigger programs?
Are your backups complete?
Controlling remote command processing
Watch your profiles
Avoid locking issues
Send message to users at a remote site
Security journal receiver management
Top 10 backup commands
Create an iSeries Access image and update it with the latest Service Pack
Tracking critical file access in real time

iSeries system and application security
Developing a security incident response system for System i
Setting up security for programmers on IBM i
Blocking AS/400 DB2 users
Trouble accessing IFS path from Win2k3 server
Checking in on your IBM i authorization lists
Strategies for securing IBM i production files
Changing password security levels and upgrading operating systems on the IBM i
Determine the value of parameter UPPWEI in the DSPUSRPRF field
Define journal code value "K"
Modify content within a journal receiver file

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
midrange  (Search400.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



iSeries Security - Security Tools, Physical Security and System Security
HomeNewsTopicsITKnowledge ExchangeTipsBlogsAsk the ExpertsMultimediaWhite PapersProducts
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 1999 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts