The easiest way is to sign on as QSECOFR and then use the copy function in the WRKUSRPRF screen to create a new profile that has all the authorities required.
Here’s a simple example program for you to experiment with:<pre>
dcl &UsrPrf *char 12 value( ‘NEW’ )
Qsys/crtusrprf ??usrprf( &USRPRF ) +
??pwdexp( *YES ) +
??usrcls( *USER ) +
??text( ‘New text’ ) +
??spcaut( *USRCLS )
As you see, it doesn’t actually do anything except run the CRTUSRPRF command for some profile named “NEW”. By itself, that’s not very useful. And if the program is run by someone who doesn’t have enough authority to create profiles, then the program is going to crash severely when CRTUSRPRF is attempted.
To avoid a crash, compile the program something like this:<pre>
CRTBNDCL PGM( mylib/CRTPRF )
SRCFILE( mylib/QCLTSRC )
SRCMBR( CRTPRF )
<b>USRPRF( *OWNER )</b></pre>
The USRPRF(*OWNER) is going to cause the program to be created so that the profile that <b>owns</b> the program can lend authority when it’s needed. The user who runs the program doesn’t need authority to the actions done by the program.
For that to be useful, you’ll want to use CHGOBJOWN to set the new owner to be some powerful profile. It could be QSECOFR, but something less is probably advisable. For example, you might not want an owner who has *AUDIT special authority.
Also, the program should be authorized with *PUBLIC *EXCLUDE. You will want to grant *USE authority only to trusted profiles who will be authorized to create other profiles with authorities that they don’t have. Best would probably be to create a special profile that you can use as a group profile and give *USE authority to only it. Then you can add that as a group or supplemental profile to the individuals you choose.
Note that the example parameters are preceded with “??”. Since those are the only parameters listed, they will be the only ones visible when the program runs. More detail on how those work can be found under the <a href=”http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rbam6/rbam6delimeters.htm”>CL command delimiters</a> topic.
You can prompt command parameters directly as in the example above, or you can display a simple display file format to allow entry of values. Take the values and substitute them into the command like shown for &UsrPrf. Doing it that way lets you avoid prompting the command itself, but you need to code some tests over the values to see if they’re appropriate.
In short, you don’t actually need to create a “Create Account registrar”. You can instead create a small set of utilities like the example. Each one would perform a very restricted function. You would simply authorize individuals to the functions you want them to have.