I would like to authorize a user to enable a disabled profile, reset a user profile's password, or enable a device description, but not be able to create or delete a profile/device description. Can you recommend a way to achieve this goal? Would there be a way to protect profiles like QSECOFR from such a user?
The easiest way to accomplish this is to create your own version of these commands. Then the CPP (command processing program) for the command adopts its owner's authority and the program owner has the authority needed to perform the request. For example, you can create your own version of the CHGUSRPRF command that externalizes only the user profile, password and status parameters. The CPP calls the real CHGUSRPRF command which will reset the user's password. The CPP is owned by a user that has enough authority to reset all users' passwords.
Given this set-up, even if the user tries to run the real command, they won't have the authority required. If you want to exclude certain users from being reset or modified, e.g., QSECOFR, your CPP can check for those restrictions before running the OS/400 version of the command.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: Tips, tutorials and more.
Search400.com's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Read this Search400.com Featured Topic: Secure your iSeries
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
The UPPWEI field corresponds to the password expiration interval field, and its values "0" and "-1" represent the *SYSVAL and *NOXMAX commands. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.