Register

Forgot Password

Site FAQ

Home > IT Answers > AS/400 > User profiles

ATitus

85 pts.

User profiles

AS/400 security, AS/400 user profiles

How can a person without *ALLOBJ authority display ALL user profiles? Thanks

Software/Hardware used:

ASKED: June 24, 2008 12:15 PM

UPDATED: November 3, 2009 11:18 PM

RELATED QUESTIONS

Answer Wiki:

Hi, If the user has *SECADM authority and has the right to the user profiles (for example someone has used GRTOBJAUT to give permission to all the user profiles), then the user should be able to display all the user profiles. If you want something to allow this, you could create a small CL program to do a WRKUSRPRF *ALL or DSPUSRPRF *ALL, change the program with USRPRF(*OWNER) and change the owner of the program to be a user profile with *ALLOBJ and *SECADM. This should allow your user to display or work with all user profiles. Regards, Martin Gilbert.

Last Wiki Answer Submitted: June 24, 2008 12:21 pm by Gilly400

23,625 pts.

All Answer Wiki Contributors: Gilly400

23,625 pts.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

POSTED: Jun 25, 2008 6:29 PM (GMT)

If you go the “small CL program” route, just make sure the user that needs to use it has authority to it as well.

Realistically, all the user profiles should be “owned” by one account. If that account is a group account, then makeing your SECADM user part of that group will give him access to the user accounts.

Regards
Mike

mcl

2,725 pts.

POSTED: Jul 1, 2008 9:32 PM (GMT)

The OP asked how a person without *ALLOBJ could view all profiles. *SECADM authority has nothing to do with this. I guess this has been brought up on the assumption that the original question would be for people who need to modify/create profiles.

My preference would be a program that adopts authority. There are 2 ways this could be done.

1. Have all profiles owned by a particular profile. The program would then adopt the authority of this profile.
2. Have the program adopt the authority of an *ALLOBJ profile. You could create a profile e.g. ADPALLOBJ that could be used for this purpose.

I don’t agree with Mikes approach as this creates an inherent security exposure in that these users would be able to submit a job under any one of these user profiles.

jsev

10 pts.

POSTED: Aug 4, 2008 11:44 AM (GMT)

I wonder why the OP wants to be able to display a list of user profiles in the first place. In my experience there’s a reason for not having the authority to do something and usually a request to the administrator is enough to get the access.

Other than a Helpdesk user resetting profiles/passwords or an application validating against user profiles names I can’t think of any reason why an unauthorised user would need to view a list of user profiles (well, I can, but it would involve breaching security).

astradyne

370 pts.

POSTED: Nov 3, 2009 11:18 PM (GMT)

Have all profiles owned by a particular profile.

This, of course, would be very difficult to implement. Who will own QSYS? …QSECOFR? …profiles created by 3rd-party products that are engineered to act as owners?

Tom

TomLiotta

110,115 pts.

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags