Barry Kwong wrote:
One of my user need to reset other user's password.
His user class is set at *secadm.
He is part of a group and the Limit Capabilities is set to no.
When he tries to reset other user profile, he recieves the message
'Not authorized to change user profile.'. Any help is appreciated.

I would suggest that you write a command-driven CL program owned by QSECOFR
that adopts QSECOFR authority that serves as the 'resetter' program for
resetting passwords.

I'd hard-code it to not allow anyone to change the password for any of the
important user profiles on the system (maybe not allow changing any profile
that begins with Q, or any of the packaged software owner profiles such as
JDE, etc. You could display a list of user profile names and review them
all to determine how to limit the scope of the password reset program.

Our password resetter prompts you for the user id name, then it performs the
command QSYS/CHGUSRPRF USRPRF(USERNAME) PASSWORD(USERNAME) PWDEXP(*YES) on
that profile to reset the password to the user profile name, requiring a
password change upon signon.

We also have a 2nd reset program...The other one will re-enable a disabled
profile. It prompts you for the user id, then it performs the command
QSYS/CHGUSRPRF USRPRF(USERNAME) STATUS(*ENABLED) to re-enable the profile
without resetting the password.

(Qualifying the commands to QSYS prevents tricky programmers from stealing
QSECOFR authority...)

Use System i security to limit authority to these commands - I suggest the
use of an authority list.

Regards,
sjl


"Barry Kwong" <barrykwongwh@xxxxxxxxxxx> wrote in message
news:mailman.15.1205446685.8736.midrange-l@xxxxxxxxxxxxxxx

One of my user need to reset other user's password. His user class is set
at *secadm. He is part of a group and the Limit Capabilities is set to no.
When he tries to reset other user profile, he recieves the message 'Not
authorized to change user profile.'. Any help is appreciated.
_________________________________________________________________
At a loss for words? Find them by playing Seekadoo! Play now!
http://g.msn.ca/ca55/208=



This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].