User profiles

85 pts.
Tags:
AS/400 security
AS/400 user profiles
How can a person without *ALLOBJ authority display ALL user profiles? Thanks

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hi,

If the user has *SECADM authority and has the right to the user profiles (for example someone has used GRTOBJAUT to give permission to all the user profiles), then the user should be able to display all the user profiles.

If you want something to allow this, you could create a small CL program to do a WRKUSRPRF *ALL or DSPUSRPRF *ALL, change the program with USRPRF(*OWNER) and change the owner of the program to be a user profile with *ALLOBJ and *SECADM. This should allow your user to display or work with all user profiles.

Regards,

Martin Gilbert.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • mcl
    If you go the "small CL program" route, just make sure the user that needs to use it has authority to it as well. Realistically, all the user profiles should be "owned" by one account. If that account is a group account, then makeing your SECADM user part of that group will give him access to the user accounts. Regards Mike
    2,740 pointsBadges:
    report
  • jsev
    The OP asked how a person without *ALLOBJ could view all profiles. *SECADM authority has nothing to do with this. I guess this has been brought up on the assumption that the original question would be for people who need to modify/create profiles. My preference would be a program that adopts authority. There are 2 ways this could be done. 1. Have all profiles owned by a particular profile. The program would then adopt the authority of this profile. 2. Have the program adopt the authority of an *ALLOBJ profile. You could create a profile e.g. ADPALLOBJ that could be used for this purpose. I don't agree with Mikes approach as this creates an inherent security exposure in that these users would be able to submit a job under any one of these user profiles.
    10 pointsBadges:
    report
  • astradyne
    I wonder why the OP wants to be able to display a list of user profiles in the first place. In my experience there's a reason for not having the authority to do something and usually a request to the administrator is enough to get the access. Other than a Helpdesk user resetting profiles/passwords or an application validating against user profiles names I can't think of any reason why an unauthorised user would need to view a list of user profiles (well, I can, but it would involve breaching security).
    370 pointsBadges:
    report
  • TomLiotta
    Have all profiles owned by a particular profile. This, of course, would be very difficult to implement. Who will own QSYS? ...QSECOFR? ...profiles created by 3rd-party products that are engineered to act as owners? Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following