User Profile ownership

0 pts.
Tags:
AS/400
We are currently cleaning up the security related objects on our iSeries and noticed that user profiles are owned by a variety of users. The question came up then - who should own the non-IBM user profiles? Has anyone else addressed this question and how did you decide who owns which profile?
ASKED: November 16, 2005  1:16 PM
UPDATED: November 20, 2009  6:28 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Generally, In my experience is that whoever created the profile is the owner of the profile. If you have a lot of user profiles being owned by a large group of other user profiles, it would appear that the people, who are not system adminstrators, have way too much authority on the system to be creating their own user profiles. Another possibility is that the owner got changed by someone in the past based on some unknown reason. To decide who owns them is usually assigned to a system administrator or qsecofr or to the user profile itself.

===========================================================

Having group ownership or creating a profile that exists for the purpose of ownership are two good methods. Do <b>not</b> allow system profiles such as QSECOFR, QSYS or similar to own any local objects. If system profiles are found to own local profiles (or other local objects), change the owner to an appropriate profile.

Note that LPP objects are examples of “non-local” objects that may need to be transferred between systems. SAVLICPGM on one system, followed by RSTLICPGM on a system being migrated to, might require some object ownership by a guaranteed high-authority profile.

Tom

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • CarterC19
    All of our iSeries admins belong to one group profile, and everything they create under their admin profile (including day-to-day profiles they create) is owned by that group. That gives visibility of all such created profiles to all members of the admin group, such that they are all able to change profiles, remove them, etc. without having to have *ALLOBJ and *SECOFR authority. Auditors are quite OK with this setup as it prevents the need to give all the admin types all the god-like special authorities.
    220 pointsBadges:
    report
  • TheQuigs
    For what it's worth, all of ours are owned by QSYS.
    0 pointsBadges:
    report
  • TheQuigs
    For what it's worth, all of ours are owned by QSYS.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following