Administering security on your iSeries system can be a daunting challenge. If you're a small shop with just a dozen users and one or two critical applications, then it is a manageable task. But if you're in a large shop with hundreds (or thousands) of user profiles, managing the security considerations can quickly become a mind boggling task. Fortunately, for those of us in this position, OS/400 includes some very nice tools that let you group your users together in homogeneous work related groups. Using this approach, each user can be classified according to the type of work they do and assigned to a group. Then, all you need to do is manage the group and not each and every individual user.
To implement this, OS/400 provides the Group Profile and Supplemental Group Profile parameters on the user profile setup. The Group Profile is the user's primary group that their work will be associated with. The Supplemental Group Profile lets you also associate the user with up to 15 additional groups other than the primary group.
Once the user's profile is set up this way, you no longer have to manage their individual user profile for granting security permission to use resources on your system. All you need to do then is manage the group profile setup. If you have 100 users on your system, but they can be broken down into five work groups, then all you need to worry about are the five group profiles. As you can see, this will greatly simplify the work needed for security administration.
To implement group profiles, you should first design your groups. You should take into account the type of work performed and the software applications that will be used by users in each group. Remember that you can also use Supplemental Group Profiles if there are gray areas where this will help you subdivide application controls.
Supplemental Group Profiles can also be used for those users, such a supervisors, who need access to multiple group resources on your system.
Note: You cannot implement Supplemental Group Profiles without first assigning a primary Group Profile to a user.
Once you have your groups designed, then go ahead and create a user profile for each group. Since these profiles will not actually be logging on, you can set the profiles up with the password set to the special value of *NONE. This way, users cannot sign on using the group profile itself. I recommend that you create new profiles for groups and not use any existing groups, especially the IBM supplied Qxxxx profiles.
With these Group Profiles created, you can now work on assigning your existing users to their respective groups. This is done from the WRKUSRPRF command or you can perform the updated individually using the CHGUSRPRF command and setting the GRPPRF parameter for the primary group and the SUPGRPPRF parameter for any supplemental groups that you want to use.
Last, but definitely not least, you will have to update your object security to reference the new group profiles rather than individual profiles. When this is all setup, the only complication will be properly grouping new users as they are added to your system. The setup can be complex, but the rewards in reduced security administration will be big.
You can read more about this topic in the OS/400 Security Reference manual, IBM Document Number SC41-5302-04.
About the author: Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, NY. The company is a provider of various security products for the iSeries market.