How to create GROUP PROFILE in AS/400 for user ID creation?

15 pts.
Tags:
AS/400 administration
AS/400 group profiles
AS/400 user administration
How to creat GROUP PROFILE in AS400 for user ID creation ???
ASKED: May 15, 2009  9:13 PM
UPDATED: September 17, 2013  8:06 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

I’m not sure exactly what you mean by the question. If you want a profile that will be used by the helpdesk or some other group for profile maintenance, I would create individuals profiles that have the *SECADM special authority, *LMTCPB *YES, and a menu option that guides them through profile creation, admin or deletion steps. Latest greatest security practice says special authorities should not be granted to group profiles but to individuals. Those same standards recommend against using IBM supplied profiles for group profiles because they are well known and more likely to be attacked by hackers or malicious programmers.

If you mean that you want to create a group profile to base other profiles on, any profile you create will become a group if you create another profile with that profile as the group profile.

One strategy is to make your object owner for an app, say the profile OBJOWNR that owns a library and all of the objects in it, the group profile for the business group that owns the application and the data. The library and objects can then have an authorization list that grants other group profiles lower levels of object authority. This way you can have a group without existence rights so they can’t delete objects, or in todays SOX and HIPAA world you will probably want a programmer group such as PGMR(you create that) that has read only rights so they can do research without being able to update production.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • JILAN
    Hi, i have a good answer for this, before that the question that what you asked is how to add a usrprf for group profile?? this is right to ask.. well,when we are creating usrprf in additional parameters(f10) we have a parameter that group profile .so here we add that user to group.. Note:-one user can be associated maximum with 16 group profiles(1 primary+15 secondary) if u ask again how to create group profile then ---------------------------------------------------------------- it similler to usrprf creation but two conditions:::: 1.password should be *none 2.until unless we add a member to this group it can not be group prifile. now i think you got some idea.still you have a doubt on this feel to ask it???
    30 pointsBadges:
    report
  • TomLiotta

    Latest greatest security practice says special authorities should not be granted to group profiles but to individuals.

    Can you document that recommendation? I can't directly dispute the assertion since many schemes are suited for specific environments, but it seems very counter-intuitive.

    A big reason for assigning to a group is so that authorities can be associated with an individual simply by adding to or removing from group membership. For the AS/400 series, a useful side-effect is that a particular member of a group can be *EXCLUDEd from most functions even when the group is authorized. (E.g., a user can be *EXCLUDEd from a file even if his/her group has *ALLOBJ special authority. That should be done only as a temporary measure because having *ALLOBJ available provides alternatives for working around such restrictions if sufficient time is allowed..)

    Also, an entire group can be given a special authority (or have one removed) if needed for temporary circumstances. There is less need to search out and change a bunch of possible individuals.

    Also, most security/compliance frameworks or guidelines tend to include Windows and Unix/Linux authority schemes. These make significant use of group permissions. A major point of "groups" in almost any OS is to consolidate permissions, rights, capabilities or authorities into consolidated units. This makes for ease of management and control, and many elements of various regulatory compliance schemes involve management and control.

    Other advantages can be listed with few disadvantages that I'm aware of.

    What would be a significant point of groups when individuals become the focus for authorities, especially 'special authorities'?

    Tom

    125,585 pointsBadges:
    report
  • TomLiotta

    One strategy is to make your object owner for an app, say the profile OBJOWNR that owns a library and all of the objects in it, the group profile for the business group that owns the application and the data.

    Can you justify that? Having an "owner" profile be the group profile for the users of an app's programs and data seems to be a very bad idea. This gives all members of the group "owner" capability.

    Even if the owner is *EXCLUDEd from access, an owner always has the capability of changing the owned object's authority. That seems like a very troublesome way to control an app.

    Tom

    125,585 pointsBadges:
    report
  • SujitNair2013

    There is no seperate command to create a Group profile.

    For creating "Group Profile" and "User Profile" the command in AS400 is CRTUSRPRF

    To see which all users are included on a specificGroup profile  then

    DSPUSRPRF USRPRF(xxxx) TYPE(*GRPMBR)

    To add a user in to a specific Group then below command

    CRTUSRPRF USRPRF(XXX) GRPPRF(XXX)

     

    85 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following