× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. November 2007

RE: Change user profile without *SECADM

SBMJOB CMD(CHGUSRPRF USRPRF(user_id) PASSWORD(new_password)
STATUS(*ENABLED)) USER(QSECOFR)

In order to do this to any profile you would need at least *USE
authority to that profile. And as someone else noted QSECOFR is one of
a handful of IBM profiles that are specifically edited out of the SBMJOB
command, so this command would need another User ID named in the USER
parameter in order to work. However, (this is my belated contribution
to the Halloween season)...


IF
You run a popular software package such as JDE, or Infinium, or many,
many others where the object ownership practice is:
-All objects are owned by user FRED (Insert your favorite owner
profile here)
-Everyone is a member of Group FRED
-Everyone (or more importantly, the person who creates new profiles)
has the OWNER parameter in their user profile set to *GRPPRF.

THEN
Every new profile that is created will bbe owned by the Group Profile,
and every member of the group will have more than *USE rights to all of
those profiles.

I've been in shops with over 1000 users where every user id was owned by
the group so every user could do this command...

BMJOB CMD(CHGUSRPRF USRPRF(user_id) PASSWORD(new_password)
STATUS(*ENABLED)) USER(SomeBody)

...To every other user in the group.

Pretty scary huh?

Don't let this happen to you. QSECOFR should own all profiles. No one
should have even *USE rights to any other profile unless you explicitly
want them to be able to assume another's identity.

There, now my Halloween is officially over. :)

jte







--
Interested in attending the ONLY conference focused on System i security
and compliance? Check out iNSIGHT 2008, Feb 11-13, 2008 in Las Vegas.
Click here to learn more.

John Earl, VP and Chief Technology Officer
PowerTech: 253-872-7788
Direct: 253-479-1408
Mobile: 206-669-3336
John.Earl@xxxxxxxxxxxxx




Email is an excellent way to communicate material that is not time
sensitive. If your communication is of a more urgent nature, please
call.

===========================
This email message and any attachments are intended only for the use of
the intended recipient named above and may contain information that is
privileged and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message or by telephone and delete the
message from your email system. Thank you.

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-
bounces@xxxxxxxxxxxx] On Behalf Of GUY_HENZA@xxxxxxxxxxxxxx
Sent: Friday, November 09, 2007 7:20 AM
To: Midrange Systems Technical Discussion
Subject: RE: Change user profile without *SECADM


SBMJOB CMD(CHGUSRPRF USRPRF(user_id) PASSWORD(new_password)
STATUS(*ENABLED)) USER(QSECOFR)

Regards,

Guy




"Chris Bipes"
<chris.bipes@cross-c To: "Midrange
Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
heck.com> cc:
Sent by: Subject: RE: Change
user profile without *SECADM
midrange-l-bounces@m
idrange.com


11/09/2007 10:10 AM
Please respond to
Midrange Systems
Technical Discussion






I have a command that calls a CLP to reset user profiles. This
command
is secured by an Authorization List as well as the CLP. It allows non
security users named in the AUTL to re-enable a profile as well as
change the password. The password changes forces the flag to change
password at next sign on. I would also like to have it write to a log
but I have not gone that far. The owner of the command and CLP is
QSECOFR and it runs under owner adopted authority.

Chris Bipes
Director of Information Services
CrossCheck, Inc.


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Tomasz Skorza
Sent: Friday, November 09, 2007 3:44 AM
To: midrange-l@xxxxxxxxxxxx
Subject: Change user profile without *SECADM

Hi

Is it possible to change user profile (enable it) without secial
authoritie
*SECADM?

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.





--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.




As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.