I have implemented adopted authority. I'm now running into trouble with user profiles. Specifically, a user can't sign on unless the object authority of that user profile is owned by the group profile. Is that a "rule" of adopted authority?
Adopted authority has nothing to do with the authority a user needs to sign on the system. When a profile is created, OS/400 grants *CHANGE plus *OBJMGT authority to the profile itself. That authority should NOT be removed or altered. When a user is made a member of a group profile, OS/400 grants the user profile the following authorities to the group profile: *OBJOPR, *OBJMGT, *READ, *ADD, *UPDATE, *DELETE (note - authority to the group does NOT include *EXECUTE.) It sounds like one of these two authorities has been removed or altered. I would check and, if necessary, set the authorities to the values listed above.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
The UPPWEI field corresponds to the password expiration interval field, and its values "0" and "-1" represent the *SYSVAL and *NOXMAX commands. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.