Manage Learn to apply best practices and optimize your operations.

More on using group profiles for easier security administration

Learn how to use group profiles for easier security administration in your shop.

In a previous tip by Rich Loeber, Use group profiles for easier security admin, Rich provides excellent advice for managing ID's/groups of ID via group profile.

Once this has been setup, authority to objects, no matter what type, should be done via authority lists.

An authority list is created via the CRTAUTL command with good text and authority set to *Exclude.

The next step is to add the groups into the authority lists. The level of authority can be adjusted based on use. You can set a group to *use an object, have *all authority to an object, etc. This will vary based on the shop and object(s).

The object can then be secured via the authority list.

This type of object management is easy especially if you're adding/deleting associates to your system on a regular basis.

For example, we check for users who haven't logged on for 90 days on the first of every month. All of our users are parts of various groups. When they are deleted off of the system, I don't have to worry about removing individual authority, if any. At the same time, when I add a user and they are modeled off of an associate in a particular group, I don't have to worry about providing authority. The group profile/supplemental profile (if applicable) takes care of this via the authority list.

Another issue, in the event of a crash, group authority via authority lists is restored to the system. Individual authority is not. It can be restored if you are doing a SAVSECDTA on a weekly basis as we do. If individual authority has to be restored, the RSTAUT / RSTUSRPRF commands can be used from the SAVSECDTA tape.

Rich makes a very good point that when using group profiles, the password should be set to *none. We take this a step further for auditing purposes. We also set these group profiles to expired *yes along with initial program to *none and initial menu to *signoff. That may be a bit much but it makes our auditors comfortable.

==================================
MORE INFORMATION ON THIS TOPIC
==================================

The Best Web Links: Tips, tutorials and more.

Search400.com's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Read this Search400.com Featured Topic: Secure your iSeries


Dig Deeper on iSeries system and application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Close