Manage Learn to apply best practices and optimize your operations.

Authorize a user to enable a disabled profile

I would like to authorize a user to enable a disabled profile, reset a user profile's password, or enable a device description, but not be able to create or delete a profile/device description. Can you recommend a way to achieve this goal? Would there be a way to protect profiles like QSECOFR from such a user?

The easiest way to accomplish this is to create your own version of these commands. Then the CPP (command processing program) for the command adopts its owner's authority and the program owner has the authority needed to perform the request. For example, you can create your own version of the CHGUSRPRF command that externalizes only the user profile, password and status parameters. The CPP calls the real CHGUSRPRF command which will reset the user's password. The CPP is owned by a user that has enough authority to reset all users' passwords.

Given this set-up, even if the user tries to run the real command, they won't have the authority required. If you want to exclude certain users from being reset or modified, e.g., QSECOFR, your CPP can check for those restrictions before running the OS/400 version of the command.


The Best Web Links: Tips, tutorials and more.

Search400.com's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Read this Search400.com Featured Topic: Secure your iSeries

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.