*USER to reset *USRPRF

Purpose

With the Business Process Outsourcing and Remote administration flourishing, there are always requirement to complete all the tasks, except the tangible operations offshore.
The document is basically to elaborate how a reset for a user profile can be done from offshore, still maintaining accountability and authorization.

Assumption

The document assumes multi tier architecture in place. And, authority to reset the user profile rest with offshore team. The document further assumes, the Level 1 support posses the profile with user class *USER or any other User class and not *SECADM or *SECOFR.

The document further assumes the little knowledge of CL programming.

Back ground

Out of eight special authorities that are available for any user profile on iSeries system, *SECADM, is the authority that is required for creating, modifying and deleting the user profile. This also includes the password, status and password expiration status change.

It is the profile that posses this special authority, could change the password for any user profile, and change the status between *ENABLED or *DISABLED or change the password expiration status *YES or *NO.

When the responsibility of changing the password, profile status and the password expiration status rest with offshore level 1 support, can everyone be given the *SECADM authority? No.

This may lead to security non-compliance.

Adopted authority

iSeries among many other most useful features also provide us a feature called ‘Adopted Authority’. This is basically adopting the special authority of another profile than itself. So, irrespective of what the using user profile authority is, the profile can use this command or a program based on the objects adopted authority.

This is a very good feature if used properly. Else it may lead to opening the secured walls. And hence because of the criticality, this is a disallowed feature for some of the institutions.

Let us discuss the good part of it, with a proper illustration.

Resetting the User Profile

The illustration given here is a command and it’s CPP (Command Processing Program) for resetting a user profile.

The command and the CPP have the same name RESETPRF.
The CPP Program (RESETPRF CL Program):

PGM PARM(&USRPRF)
DCL VAR(&USRPRF) TYPE(*CHAR) LEN(10)
CHGUSRPRF USRPRF(&USRPRF) PASSWORD(&USRPRF) +
PWDEXP(*YES) STATUS(*ENABLED)
SNDPGMMSG MSGID(CPF9898) MSGF(QCPFMSG) MSGDTA('The +
profile' *BCAT &USRPRF *BCAT 'has been reset')
ENDPGM


The program receives the user profile &USRPRF and resets the password to same as the user profile, change the status of user profile to *ENABLED, and changing the password expiry status to *YES.

Changing the password expiry to *YES, ensures the user has the accountability of activity done by the profile. This is because, it will prompt the user to change the password the next time it logs on to the system.

Now look at the simple CMD.

CMD
PARM KWD(USRPRF) TYPE(*CHAR) LEN(10) +
PROMPT('Enter the User Profile')

This is to receive the user profile to be reset the more meaningful way. And hence the display is like what is given below.

(RESETPRF)

Type choices, press Enter.

Enter the User Profile . . . . . > __________ Character value






Bottom
F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display
F24=More keys

Now type your profile name and the profile will be reset.
Now, where the adopted authority is being used? Let us get on to that.

The above program and the command can be created by any profile with *SECADM authority. On the CPP, which is none, but the CL program RESETPRF, in this case, needs a parameter to be changed to make it usable by other authorized profiles. This includes the profiles without *SECADM authority.


Change Program (CHGPGM)

Type choices, press Enter.

Program . . . . . . . . . . . . > RESETPRF Name, generic*, *ALL
Library . . . . . . . . . . . *USRLIBL Name, *USRLIBL
Optimize program . . . . . . . . *NO *SAME, *YES, *FULL, *BASIC...
User profile . . . . . . . . . . *OWNER *SAME, *USER, *OWNER
Use adopted authority . . . . . *YES *SAME, *YES, *NO
Remove observable info . . . . . *NONE *SAME, *ALL, *NONE...
+ for more values
Enable performance collection:
Collection level . . . . . . . *SAME *SAME, *NONE, *PEP, *FULL...
Procedures . . . . . . . . . . *ALLPRC, *NONLEAF
Profiling data . . . . . . . . . *SAME *SAME, *NOCOL, *COL, *CLR...
Teraspace . . . . . . . . . . . *NO *NO, *YES, *SAME
Force program re-creation . . . *NO *NO, *YES, *NOCRT
Text 'description' . . . . . . . 'Reset the user profile
'

Bottom
F3=Exit F4=Prompt F5=Refresh F10=Additional parameters F12=Cancel
F13=How to use this display F24=More keys

The field value for ‘User Profile’ needs to be changed to *OWNER from *USER. This makes any profile authorized to this object to use this command.

Now the command RESETPRF, should be created using CRTCMD.
Conclusion

This is a more useful feature that can be used for similar requirements. But, care should be taken on the adopted authority and the user profile authorized. This may else lead to a security exposure on the system.

This can be made as a menu option, for Level 1 support. This will enable them to reset the profiles without need for accessing the command line and *SECADM special authority.

Please mail me at dean@iseriesuniversity.com for any clarifications or concerns.

Subbu