RE: Change user profile without *SECADM

Great post, John!!

I was just at a client site this week that was a victim of both evil security stalkers - Infinium and JDE. But lucky for them, their OWNER parameter was set to *USRPRF for most users. I believe that *GRPPRF is the right way to do it, but in the case of a poorly designed object ownership scenario, it's better this way if the group profile was indeed JDE or JDEINSTAL or something similar for the users creating profiles!...

"However, (this is my belated contribution to the Halloween season)...

IF
You run a popular software package such as JDE, or Infinium, or many, many others where the object ownership practice is:
-All objects are owned by user FRED (Insert your favorite owner profile here)
-Everyone is a member of Group FRED
-Everyone (or more importantly, the person who creates new profiles) has the OWNER parameter in their user profile set to *GRPPRF.

THEN
Every new profile that is created will be owned by the Group Profile, and every member of the group will have more than *USE rights to all of those profiles.

I've been in shops with over 1000 users where every user id was owned by the group so every user could do this command... SBMJOB CMD(CHGUSRPRF USRPRF(user_id) PASSWORD(new_password) STATUS(*ENABLED)) USER(SomeBody) ...To every other user in the group.

Pretty scary huh?

Don't let this happen to you. QSECOFR should own all profiles. No one should have even *USE rights to any other profile unless you explicitly want them to be able to assume another's identity.

There, now my Halloween is officially over. :)"

Best regards,

Steven W. Martinson, CISA, CISM, CISSP
Security Consultant
Cypress, Texas

Mobile: 713.277.5845
Fax: 281.758.2429