I have implemented adopted authority. I'm now running into trouble with user profiles. Specifically, a user can't sign on unless the object authority of that user profile is owned by the group profile. Is that a "rule" of adopted authority?
Adopted authority has nothing to do with the authority a user needs to sign on the system. When a profile is created, OS/400 grants *CHANGE plus *OBJMGT authority to the profile itself. That authority should NOT be removed or altered. When a user is made a member of a group profile, OS/400 grants the user profile the following authorities to the group profile: *OBJOPR, *OBJMGT, *READ, *ADD, *UPDATE, *DELETE (note - authority to the group does NOT include *EXECUTE.) It sounds like one of these two authorities has been removed or altered. I would check and, if necessary, set the authorities to the values listed above.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
On AS/400, the journal type AF subtype K, shows that a user profile lacks the special authority required by the function attempting to run. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.