Manage Learn to apply best practices and optimize your operations.

Limiting user profiles

I would like to give my help desk staff access to change user profiles, but I don't want the operator to change the QSECOFR profile. They have SECADM authority, but not *ALLOBJ special authority. I have secured profiles prefixed with a "Q". My problem is when a Help Desk person "A" creates a new profile, the profile object authority defaults to *public Exclude. Therefore Help Desk Person "B" doesn't have access to that profile. Is there a way, so that when a new profile is created, it defaults to an authorization of *public *CHANGE?
Yes, there is a way to have all profiles default to *PUBLIC *CHANGE but you really don't want to do that. Users with *USE (or greater) to a profile can use that profile to submit a job or swap to the profile. In other words, changing the *PUBLIC authority of profiles is opening up the opportunity for other users to masquerade as another user. Here are a couple ideas that don't open up security exposures. One – provide a menu for your helpdesk and one of the options is to create a user profile. This menu option is a program that processes the CRTUSRPRF command, and then changes the ownership of the profile to an "OWNER" profile. The program needs to be configured to adopt OWNER's authority. Another option is to configure all helpdesk personnel's profiles to belong to a group and have their newly created objects be owned by the group. This way, all user profiles (and anything else they create) will be owned by the group. This is a less secure implementation, however, and I much prefer the first option.


The Best Web Links: tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Check out this Search400.com Featured Topic: Top ten security tips

Visit the ITKnowledge Exchange and get answers to your security questions fast.

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.