RE: WRKUSRPRF -- MIDRANGE-L

> We have a person with *SECADM authority.  When she performs WRKUSRPRF
> *ALL only some of the user profiles appear.  If we give her *ALLOBJ
> authority too then all the user profiles can be seen.
> 
> This doesn't seem correct to me.   Can someone clarify why *SECADM is
> not sufficient to get to all of the user profiles?  V4R4
> 

As others have noted, the problem you are having is with Object
Authority on the user profiles.  There are a couple of obvious
solutions...

1)  Have all profiles owned by user #PROFOWNER.  Make your *SECADM user
(I'll call her Sally) a member of the #PROFOWNER group.  Pro:  Sally
will now instantly have authority to all profiles.   Con: If Sally has
even *USE authority to any profile she can assume that user's identity
without changing their password and without leaving much of a trace.

2) Create a program that adopts QSECOFR-like authority and does the
CHGUSRPRF (not WRKUSRPRF) command for Sally.  A simple version of this
program might look like this: 
PGM
?CHGUSRPRF
ENDPGM

This program would allow Sally to modify any parameter on any user
profile.  If you wanted to limit which parameters she could change, you
could put question marks in front of only those parameters that you
wanted, or didn't want changed, so you have a fair amount of control
over what the person can do.
Pro:  you can do this your self with a little programming.  Con:  you'd
probably want a DSPUSRPRF and maybe some other programs as well.  Also,
you would have to rely on the QAUDJRN to tell you what Sally had done.

3) Purchase PowerLock AuthorityBroker (Shameless plug there) that let's
you limit access to power, and also does the auditing, notification, and
reporting for you.  This allows you to temporarily give Sally enough
authority to change Fred's profile, notifies someone when she tries, and
produces an Audit log of all her activity during that session.   Pro:
Simplest solution and someone else maintains the code for you.  Con: you
have to pay money.

There are likely some other ways to skin this cat, but at least that
should set your thinking down the right path 

HTH,

Jte






--
John Earl | Chief Technology Officer
The PowerTech Group
19426 68th Ave. S
Seattle, WA 98032
(253) 872-7788 ext. 302
john.earl@xxxxxxxxxxxxx
www.powertech.com 
 

 
This email message and any attachments are intended only for the use of
the intended recipients and may contain information that is privileged
and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message, or by telephone, and delete
the message from your email system.
--


> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx 
> [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Greg Wenzloff
> Sent: Wednesday, August 31, 2005 10:31 AM
> To: midrange-l@xxxxxxxxxxxx
> Subject: WRKUSRPRF
> 
> 
> We have a person with *SECADM authority.  When she performs WRKUSRPRF
> *ALL only some of the user profiles appear.  If we give her *ALLOBJ
> authority too then all the user profiles can be seen.
> 
> This doesn't seem correct to me.   Can someone clarify why *SECADM is
> not sufficient to get to all of the user profiles?  V4R4
> 
> TIA,
> Greg
> 
> -- 
> This is the Midrange Systems Technical Discussion 
> (MIDRANGE-L) mailing list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
> 
> 
>