Manage Learn to apply best practices and optimize your operations.

Granting temporary *secadm power to users

We don't want to give the *secadm to any user profiles, but still we need some user IDs other than Qsecofr to enable...

the user ID's. How does adopted authority work in this matter?

Is there any way to grant the *secadm power to any user profile for some time and after the signing off? Should that power be disabled? I've heard that through a CL command I can give the authority. Is that possible?

Yes, the easiest way to allow users to have authority, in this case *SECADM special authority, for a particular time but not all the time is by using adopted authority.

Adopted authority is an attribute of a program. While the program is active (in the call stack) the adopted authority is in effect. When adopted authority is in effect, the user runs with not only his own authority but the program owner's authority as well. So if Sally signs on and calls a program that is owned by QPGMR, Sally will have all of her own authorities as well as all the authorities of the user profile, QPGMR.

In your case, you can create a command whose command processing program (CPP) adopts authority. Have the program be owned by a user profile that has *SECADM special authority. The CPP will perform the CRTUSRPRF command. Set *PUBLIC authority to the CPP to *EXCLUDE. Give *USE authority to the users you want to create profiles. To set a program to adopt authority, specify *OWNER for the user profile parameter on the CHGPGM command: CHGPGM PGM(your_lib/your_pgm) USRPRF(*OWNER)


The Best Web Links: tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Dig Deeper on iSeries system and application security