changing a group profile to a user profile?
One of my predecessors thought it was a great idea to add users to the QSYSOPR profile, which changed it from a regular user profile to a group profile. I have since moved these users to other groups, but QSYSOPR still thinks it's a group even though there are no members. Short of deleting this profile and recreating it, is there any way to reverse this process and "demote" this user profile? We actually use QSYSOPR for several tasks, but my Audit department has pointed out that we have a group profile with a password and they want us to either change it to password = *NONE or make it not be a group anymore. Thanks.
Software/Hardware used:
Software/Hardware used:
ASKED:
September 8, 2005 11:27 AM
UPDATED:
November 10, 2009 6:56 PM
Answer Wiki:
What makes you think QSYSOPR has changed from a "regular" to a "group" profile? I can't find any attribute of the profile that would indicated that.
I know you can create a group in the Navigator, but i haven't really used that extensively. I did create a group to see if it created a profile but it didn't.
As far as i know, using a profile in the group profile parameter of another profile does not change the profile being used as a group profile in anyway. For example, i have QSECOFR locked down and specify it as the group profile for myself and another person that i want administering the system. If i run the dspusrprf command, QSECOFR has nothing to indicate that it is a "group profile", it's merely referenced by the other two.
To see all answers submitted to the Answer Wiki: View Answer History.
The attribute can’t be seen by viewing the user (group) profile; it can’t be seen by doing a DSPUSRPRF OUTPUT(*PRINT) either. But, if you do a DSPUSRPRF OUTPUT(*OUTFILE) and then view the file, there’s a field called “Group Profile Indicator,” and my QSYSOPR has a *YES in this field.
Thank you for pointing that out. I didn’t know that. But (if i remember correctly) the person who posted the question said that once he removed the profiles QSYSOPR was still considered a group profile.
I tried your suggestion. The field was set to “*NO”. I then changed a profile to have QSYSOPR as its group profile and reran the command. The field was then set to “*YES”. Then i change the profile to not back to its original group profile value should have set the field back to “*NO”, which it did.
So i’m still not sure what his problem is. At least for me , now that i know about the field, it works as exepected.
I’m wondering if that field is there just to make it possible to query the file so that you can see a list of profiles that are being used as group profiles and what profiles are under them. Like:
select g.upuprf as group_prf, u.upuprf as group_mbr
from dspusrprf g
left outer join dspusrprf u
on g.upuprf = u.upgrpf
where g.upgrpi = ‘*YES’
order by g.upuprf, u.upuprf
BTW, what does your Audit Dept care if a group profile has a password or not? A password on a group profile has no practical difference from a password on any member of the group. Signing on as any group member gives you the authority of the group profile — that’s pretty much the whole point of group profiles. Now, I would understand if the password was made public…
Tom
If you want to change the Group Profile Indicator to *NO you must use the QSYCHGID API to change the Group ID (GID) to 0. Here is the link from IBM:
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/apis/QSYCHGID.htm