Group profiles

1150 pts.
Tags:
AS/400 administration
AS/400 group profiles
AS/400 user profiles
Hi,

can anybody tell me if it is possible to change a group profile back to a normal(stand alone) user profile after deleting the users from that group?



Software/Hardware used:
as/400

Answer Wiki

Thanks. We'll let you know when a new response is added.

You might also want to look at what objects are secured by the group profile. A group profile is just a user profile that is used for grouping access to objects. If you are going to use the group profile as an individual profile then you need to set the securities and object access for that user.

A group profile is only considered a ‘group’ if it in included as a group or supplemental profile within another profile. Removing the profile from other individual profiles will remove it from the ‘group’ category.

================================================

Yes, but it’s often not immediately obvious how it needs to be done.

First, of course, disassociate all members from the group. This will turn off the general Group Profile Indicator (seen in the *outfile from DSPUSRPRF *BASIC). For <i>most</i> purposes, this is what is intended when a ‘group’ profile is to become a ‘normal’ profile.

However, the profile should then be reviewed to see if it is the Primary Group for any objects — DSPUSRPRF TYPE(*OBJPGP). Change the Primary Group assignments for the objects.

Finally, call the <a href=”http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/apis/QSYCHGID.htm”>Change User Profile UID or GID (QSYCHGID) API</a> to set the profile’s GID value to zero. Unfortunately, the CHGUSRPRF command doesn’t allow a value of zero, so the API is required… at least, it has been in recent releases — quick test shows it’s still restricted on the command in V6R1.

Those last two steps can often be ignored. However, if facilities such NFS are active or other UNIX-style networking elements that may use UID/GID for authorization in the network, keeping control of UID/GID should be done.

(BTW, note that GID in i5/OS does not equate to ‘root’ but rather to ‘no group assigned’.)

Tom

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Batman47
    Group profiles typically have the PWDEXPITV paramenter set to *NOMAX, so you should change that to whatever policy your have for your users. They also have the GRPPRF parm. set to *NONE, so you might want to assign a group profile to it and then change OWNER to *GRPPRF. I would also pay attention to the INLPGM, INLMNU, and JOBD parameters.
    1,050 pointsBadges:
    report
  • DanD
    One shortcut fo discovering profiles that are in this group profile is to do a wrkobj on the usrprf and opt 5 to display the object authority. Every profile that is in the group will have some authority to the object. When that profile is no longer the group for any other profile only that profile and the creator will have authority to it, and *public will be *exclude. At that point the profile will no longer be a group profile.
    2,865 pointsBadges:
    report
  • TomLiotta
    I'm not aware of any reason that a group profile should have no password. Since membership in a group provides the authorities of the group profile, you might as well say that all members should have no password. Of course, there may be a policy that needs to be followed; so, it may be a moot point. And 'particular' group profiles isn't the same as 'all' group profiles, so it can easily be true in specific cases. That's no different from any profile that shouldn't have password. The same thinking can be applied for PWDEXPITV() and other parameters. If an attribute isn't appropriate for a profile, it shouldn't be set. I just don't know that 'group' status has any reason for being a determining characteristic. Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following