*USER to reset *USRPRF

Purpose

With the Business Process Outsourcing and Remote administration flourishing, there are always requirement to complete all the tasks, except the tangible operations offshore.
The document is basically to elaborate how a reset for a user profile can be done from offshore, still maintaining accountability and authorization.

Assumption

The document assumes multi tier architecture in place. And, authority to reset the user profile rest with offshore team. The document further assumes, the Level 1 support posses the profile with user class *USER or any other User class and not *SECADM or *SECOFR.

The document further assumes the little knowledge of CL programming.

Back ground

Out of eight special authorities that are available for any user profile on iSeries system, *SECADM, is the authority that is required for creating, modifying and deleting the user profile. This also includes the password, status and password expiration status change.

It is the profile that posses this special authority, could change the password for any user profile, and change the status between *ENABLED or *DISABLED or change the password expiration status *YES or *NO.

When the responsibility of changing the password, profile status and the password expiration status rest with offshore level 1 support, can everyone be given the *SECADM authority? No.

This may lead to security non-compliance.

Adopted authority

iSeries among many other most useful features also provide us a feature called ‘Adopted Authority’. This is basically adopting the special authority of another profile than itself. So, irrespective of what the using user profile authority is, the profile can use this command or a program based on the objects adopted authority.

This is a very good feature if used properly. Else it may lead to opening the secured walls. And hence because of the criticality, this is a disallowed feature for some of the institutions.

Let us discuss the good part of it, with a proper illustration.

Resetting the User Profile

The illustration given here is a command and it’s CPP (Command Processing Program) for resetting a user profile.

The command and the CPP have the same name RESETPRF.
The CPP Program (RESETPRF CL Program):

PGM PARM(&USRPRF)
DCL VAR(&USRPRF) TYPE(*CHAR) LEN(10)
CHGUSRPRF USRPRF(&USRPRF) PASSWORD(&USRPRF) +
PWDEXP(*YES) STATUS(*ENABLED)
SNDPGMMSG MSGID(CPF9898) MSGF(QCPFMSG) MSGDTA('The +
profile' *BCAT &USRPRF *BCAT 'has been reset')
ENDPGM


The program receives the user profile &USRPRF and resets the password to same as the user profile, change the status of user profile to *ENABLED, and changing the password expiry status to *YES.

Changing the password expiry to *YES, ensures the user has the accountability of activity done by the profile. This is because, it will prompt the user to change the password the next time it logs on to the system.

Now look at the simple CMD.

CMD
PARM KWD(USRPRF) TYPE(*CHAR) LEN(10) +
PROMPT('Enter the User Profile')

This is to receive the user profile to be reset the more meaningful way. And hence the display is like what is given below.

(RESETPRF)

Type choices, press Enter.

Enter the User Profile . . . . . > __________ Character value






Bottom
F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display
F24=More keys

Now type your profile name and the profile will be reset.
Now, where the adopted authority is being used? Let us get on to that.

The above program and the command can be created by any profile with *SECADM authority. On the CPP, which is none, but the CL program RESETPRF, in this case, needs a parameter to be changed to make it usable by other authorized profiles. This includes the profiles without *SECADM authority.


Change Program (CHGPGM)

Type choices, press Enter.

Program . . . . . . . . . . . . > RESETPRF Name, generic*, *ALL
Library . . . . . . . . . . . *USRLIBL Name, *USRLIBL
Optimize program . . . . . . . . *NO *SAME, *YES, *FULL, *BASIC...
User profile . . . . . . . . . . *OWNER *SAME, *USER, *OWNER
Use adopted authority . . . . . *YES *SAME, *YES, *NO
Remove observable info . . . . . *NONE *SAME, *ALL, *NONE...
+ for more values
Enable performance collection:
Collection level . . . . . . . *SAME *SAME, *NONE, *PEP, *FULL...
Procedures . . . . . . . . . . *ALLPRC, *NONLEAF
Profiling data . . . . . . . . . *SAME *SAME, *NOCOL, *COL, *CLR...
Teraspace . . . . . . . . . . . *NO *NO, *YES, *SAME
Force program re-creation . . . *NO *NO, *YES, *NOCRT
Text 'description' . . . . . . . 'Reset the user profile
'

Bottom
F3=Exit F4=Prompt F5=Refresh F10=Additional parameters F12=Cancel
F13=How to use this display F24=More keys

The field value for ‘User Profile’ needs to be changed to *OWNER from *USER. This makes any profile authorized to this object to use this command.

Now the command RESETPRF, should be created using CRTCMD.
Conclusion

This is a more useful feature that can be used for similar requirements. But, care should be taken on the adopted authority and the user profile authorized. This may else lead to a security exposure on the system.

This can be made as a menu option, for Level 1 support. This will enable them to reset the profiles without need for accessing the command line and *SECADM special authority.

Please mail me at dean@iseriesuniversity.com for any clarifications or concerns.

Subbu

This is to create a simple reporting tool for system administrator.

The requirement is, the profile should posses a *AUDIT authority as expected for any AS/400 system administrator. There should exist a data area, called DATTIM in your library or any library and please replace the library name 'Subbu' with yours.

And RTVDSKINF, should have been completed. It is very much recommended that this, command is submitted in batch mode, hence it does not eat up the system resources.

The CL program produces few spool files.

And here it is. The program is not very great, but can act as basic starting point for futher improvements.

*************** Beginning of data ***************************************************************************************
0001.00 PGM 070220
0002.00 DCL VAR(&TIME) TYPE(*CHAR) LEN(7) 070220
0003.00 DCL VAR(&DATE) TYPE(*CHAR) LEN(6) 070220
0004.00 DCL VAR(&TIME2) TYPE(*CHAR) LEN(4) 070220
0005.00 DCL VAR(&DATE2) TYPE(*CHAR) LEN(10) 070220
0006.00 RTVSYSVAL SYSVAL(QDATE) RTNVAR(&DATE) 070220
0007.00 RTVSYSVAL SYSVAL(QTIME) RTNVAR(&TIME) 070220
0008.00 RTVDTAARA DTAARA(SUBBU/DATTIM (1 10)) RTNVAR(&DATE2) 070220
0009.00 RTVDTAARA DTAARA(SUBBU/DATTIM (11 4)) RTNVAR(&TIME2) 070220
0010.00 DSPAUDJRNE ENTTYP(AF CO CD CP SV CA DO JS SF PW SV ZC) + 070220
0011.00 FROMTIME(&DATE2 &TIME2) 070220
0012.00 CHGDTAARA DTAARA(SUBBU/DATTIM (1 10)) VALUE(&DATE) 070220
0013.00 CHGDTAARA DTAARA(SUBBU/DATTIM (11 7)) VALUE(&TIME) 070220
0014.00 /******************************************************************************/ 070220
0015.00 SBMJOB CMD(PRTDSKINF RPTTYPE(*LIB)) 070220
0016.00 DSPSYSSTS OUTPUT(*PRINT) 070220
0017.00 /******************************************************************************/ 070220
0018.00 ENDPGM 070220
****************** End of data ******************************************************************************************

Hope this helps.

Thank you and you can reach me at dean@iseriesuniversity.com

Subramaniam.S