• Subject: RE: *SECADM change QSECOFR passw
  • From: D.BALE@xxxxxxxxxxxxx
  • Date: Mon, 23 Apr 2001 18:40:00 -0400

Security level 40.

Dan Bale
IT - AS/400
Handleman Company
248-362-4400  Ext. 4952
D.Bale@Handleman.com
  Quiquid latine dictum sit altum viditur.
  (Whatever is said in Latin seems profound.)

-------------------------- Original Message --------------------------
What security level are you running?  UKHELP has a user class of *SECADM:

From the help for *SECADM on the User Class parameter of CHGUSRPRF:
        At QSECURITY level 10 or 20, the security administrator has
        *ALLOBJ, *JOBCTL, *SAVSYS, and *SECADM special authorities.

So, the special authority of *SECADM gives UKHELP the authority to change
user profiles and passwords.  If you're running security level 20 or below
then user class of *SECADM grants special authority of *ALLOBJ, which gives
UKHELP authority to access all objects, including the QSECOFR user profile.

If you're running security level 30 or above then UKHELP somehow has
authority to the QSECOFR user profile object even though UKHELP does not
have *ALLOBJ special authority.  DSPOBJAUT QSECOFR *USRPRF to try to figure
out how.

If you're running security level 20 or below, then you probably need to
change UKHELP to have special authority of *SECADM without user class of
*SECADM.

One of the suggestions for a special program with adopted authority would
also work.

-----Original Message-----
From: D.BALE@handleman.com [mailto:D.BALE@handleman.com]
Sent: Monday, April 23, 2001 10:56 AM
To: MIDRANGE-L@midrange.com
Subject: Re: *SECADM change QSECOFR passw


The UKHELP profile has only *SECADM authority; it does not have *ALLOBJ
authority, unless it is implied somewhere else.  Did you get it confused
with
the QSECOFR profile I listed as well?

- Dan
Dan Bale says "Ban Dale!"
IT - AS/400
Handleman Company
248-362-4400  Ext. 4952
D.Bale@Handleman.com
  Quiquid latine dictum sit altum viditur.
  (Whatever is said in Latin seems profound.)

-------------------------- Original Message --------------------------
it is the *allobj in the ukhelp that causes the prob. Allobj includes
the object qsecofr *usrprf.
If they need special powers, put it in a pgm that adopts auth, but
suggest they should not have allobj. (do be careful with adopt auth).
jim

----- Original Message -----
From: <D.BALE@handleman.com>
To: <MIDRANGE-L@midrange.com>
Sent: Friday, April 20, 2001 2:56 PM
Subject: *SECADM change QSECOFR password?


> We set up a user profile (UKHELP) at one of our international branches
whose
> sole purpose is to reset passwords and re-enable profiles for profiles
that
> got disabled due to too many invalid attempts to sign on.
>
> This works fine except that this user profile has the ability to change
the
> QSECOFR profile as well.  How can we prevent that?  Following are
pertinent
> bits & pieces from the UKHELP profile:
>   User class . . . . . . . . :   *SECADM
>   Special authority  . . . . :   *SECADM
>   Group profile  . . . . . . :   SECADM
>   Owner  . . . . . . . . . . :   *USRPRF
>   Group authority  . . . . . :   *NONE
>   Group authority type . . . :   *PRIVATE
>   Supplemental groups  . . . :   *NONE
>   Initial program  . . . . . :   SEC612R
>     Library  . . . . . . . . :     *LIBL
>   Initial menu . . . . . . . :   MAIN
>     Library  . . . . . . . . :     *LIBL
>   Limit capabilities . . . . :   *NO
>
> Following are pertinent bits & pieces from the QSECOFR profile:
>   User class . . . . . . . . :   *SECOFR
>   Special authority  . . . . :   *ALLOBJ
>                                  *AUDIT
>                                  *IOSYSCFG
>                                  *JOBCTL
>                                  *SAVSYS
>                                  *SECADM
>                                  *SERVICE
>                                  *SPLCTL
>   Group profile  . . . . . . :   *NONE
>   Owner  . . . . . . . . . . :   *USRPRF
>   Group authority  . . . . . :   *NONE
>   Group authority type . . . :   *PRIVATE
>   Supplemental groups  . . . :   *NONE
>   Initial program  . . . . . :   *NONE
>     Library  . . . . . . . . :
>   Initial menu . . . . . . . :   MAIN
>     Library  . . . . . . . . :     *LIBL
>   Limit capabilities . . . . :   *NO
>
> FWIW, DSPPGM SEC612R (UKHELP's initial program) shows "Use adopted
authority:
> = *YES"
>
> TIA!
>
> - Dan
> Dan Bale says "Ban Dale!"
> IT - AS/400
> Handleman Company
> 248-362-4400  Ext. 4952
> D.Bale@Handleman.com
>   Quiquid latine dictum sit altum viditur.
>   (Whatever is said in Latin seems profound.)
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].