We don't want to give the *secadm to any user profiles, but still we need some user IDs other than Qsecofr to enable...
the user ID's. How does adopted authority work in this matter?
Is there any way to grant the *secadm power to any user profile for some time and after the signing off? Should that power be disabled? I've heard that through a CL command I can give the authority. Is that possible?
Yes, the easiest way to allow users to have authority, in this case *SECADM special authority, for a particular time but not all the time is by using adopted authority.
Adopted authority is an attribute of a program. While the program is active (in the call stack) the adopted authority is in effect. When adopted authority is in effect, the user runs with not only his own authority but the program owner's authority as well. So if Sally signs on and calls a program that is owned by QPGMR, Sally will have all of her own authorities as well as all the authorities of the user profile, QPGMR.
In your case, you can create a command whose command processing program (CPP) adopts authority. Have the program be owned by a user profile that has *SECADM special authority. The CPP will perform the CRTUSRPRF command. Set *PUBLIC authority to the CPP to *EXCLUDE. Give *USE authority to the users you want to create profiles. To set a program to adopt authority, specify *OWNER for the user profile parameter on the CHGPGM command: CHGPGM PGM(your_lib/your_pgm) USRPRF(*OWNER)
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
When error messages arise concerning attempts to use a permanent system object without authority, find the source of the issue by looking for an AF ... Continue Reading
The UPPWEI field corresponds to the password expiration interval field, and its values "0" and "-1" represent the *SYSVAL and *NOXMAX commands. Continue Reading