I would like to give my help desk staff access to change user profiles, but I don't want the operator to change the QSECOFR profile. They have SECADM authority, but not *ALLOBJ special authority. I have secured profiles prefixed with a "Q". My problem is when a Help Desk person "A" creates a new profile, the profile object authority defaults to *public Exclude. Therefore Help Desk Person "B" doesn't have access to that profile. Is there a way, so that when a new profile is created, it defaults to an authorization of *public *CHANGE?
Yes, there is a way to have all profiles default to *PUBLIC *CHANGE but you really don't want to do that. Users with *USE (or greater) to a profile can use that profile to submit a job or swap to the profile. In other words, changing the *PUBLIC authority of profiles is opening up the opportunity for other users to masquerade as another user. Here are a couple ideas that don't open up security exposures. One – provide a menu for your helpdesk and one of the options is to create a user profile. This menu option is a program that processes the CRTUSRPRF command, and then changes the ownership of the profile to an "OWNER" profile. The program needs to be configured to adopt OWNER's authority. Another option is to configure all helpdesk personnel's profiles to belong to a group and have their newly created objects be owned by the group. This way, all user profiles (and anything else they create) will be owned by the group. This is a less secure implementation, however, and I much prefer the first option.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Visit the ITKnowledge Exchange and get answers to your security questions fast.
Dig Deeper on iSeries system and application security
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ...
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ...
The UPPWEI field corresponds to the password expiration interval field, and its values "0" and "-1" represent the *SYSVAL and *NOXMAX commands.
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.