Reduce the number of *ALLOBJ users

Avoid giving low-level users excessive authority to do simple tasks. Give them *Use authority of a simple CL program that "adopts" the needed authority to perform the CHGUSRPRF.

One concern I frequently hear in my classes is administrators reluctantly having to grant "low" level users excessive authority to handle some of the more simple and mundane tasks. One such chore is the enabling of profiles. In many cases, help desk staff is given "All Object" authority to handle such requests.

A more practical solution is to give such personnel *Use authority of a simple CL program that "adopts" the required authority to perform the CHGUSRPRF. In such an arrangement, the user only has authority when they call the program. Once the program goes to EOJ, they "lose" the power to change the profile. While an improvement, there is still the issue that the CHGUSRPRF is very powerful command, capable of changing 40+ parameters.

To further restrict the user's capabilities, we employ Selective Command Prompting in the program; in essence we limit the parameters/values they can modify. Of course, programs should be "user friendly" so error message handling is also included. Not bad for less than 20 lines of code.

0001.00  PGM                                                                            
0001.01  /* ************************************************************************* */
0002.00  /*  Program uses selective Command Prompting to display CHGUSRPRF with       */
0003.00  /*  limited Parameters. Additional parameters can be added. Precede the      */
0004.00  /*  Keyword with ?? to display and allow changes.  A "?*" before the         */
0005.00  /*  Keyword will display it but will not allow user to change the value.     */
0006.00  /*                                                                           */
0007.00  /*  The User Profile field is initially filled in with the user's profile.   */
0008.00  /*  Monitor Message's are used to determine if Update was successful.  If    */
0009.00  /*  not, the Profile field is again filled with the User's profile.          */
0010.00  /*                                                                           */
0011.00  /*  After each attempt to Enable/Update a profile, the user is asked if      */
0012.00  /*  they wish to continue updating profiles.                                 */
0013.00  /*                                                                           */
0014.00  /*  Program can be Compiled/Created to adopt authority of a Profile with     */
0015.00  /*  authority to update profiles. Recommend that PGM's Public Authority      */
0016.00  /*  be set to *Exclude and only specific users be granted *Use Authority     */
0017.00  /*  of the Program.  If using Adopted Authority, please read the Help text   */
0017.01  /*  for the Replace parameter of the CRTCLPGM command.                       */
0018.00  /* ************************************************************************* */
0020.00              DCL        VAR(&MSG) TYPE(*CHAR) LEN(80)                           
0021.00              DCL        VAR(&ANSWER) TYPE(*CHAR) LEN(1) VALUE(Y)                
0022.00              DCL        VAR(&PROFILE) TYPE(*CHAR) LEN(10)                       
0023.00              RTVJOBA    USER(&PROFILE)                                          
0021.00              DCL        VAR(&ANSWER) TYPE(*CHAR) LEN(1) VALUE(Y)                
0022.00              DCL        VAR(&PROFILE) TYPE(*CHAR) LEN(10)                       
0023.00              RTVJOBA    USER(&PROFILE)                                          
0025.00 DOAGAIN:    CHGUSRPRF ??USRPRF(&PROFILE) ?*STATUS(*ENABLED)                     
0026.00             MONMSG     MSGID(CPF0000) +                                         
0027.00               EXEC(DO)                                                          
0028.00                   CHGVAR VAR(&MSG) VALUE('Error - Last profile NOT Updated. +   
0029.00                          Do you wish to continue (Y or N)?      ')              
0030.00                    RTVJOBA  USER(&PROFILE) /* Put a valid profile in field */   
0031.00                    GOTO CMDLBL(SNDMSG)                                          
0032.00               ENDDO                                                             
0034.00 GOODUPDATE:  CHGVAR VAR(&MSG) VALUE('Profile was Successfully Updated. +        
0035.00                     Do you wish to continue (Y or N)?      ')                   
0037.10                        MSGTYPE(*INQ) TOMSGQ(*EXT)  MSGRPY(&ANSWER) +
0038.00                         TRNTBL(QSYSTRNTBL)  
0041.00 TESTANS:    IF COND(&ANSWER = 'Y') THEN(GOTO CMDLBL(DOAGAIN))                    
0043.00 EXITOUT:    RETURN                                                               
0044.00 ENDPGM                                                                           

This was first published in June 2003

Dig deeper on iSeries system and application security



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: