Evan, you're right about the group profile.  That part of adopted 
authority doesn't work and a profile swap is in order.  Um, submit a batch 
job which runs under QSECOFR and updates a data queue on the submitting 
program that the process is done?  Just another option for the API phobic.

Rob Berendt
-- 
"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety." 
Benjamin Franklin 




Evan Harris <spanner@xxxxxxxxxx> 
Sent by: security400-bounces@xxxxxxxxxxxx
09/24/2003 02:39 PM
Please respond to
Security Administration on the AS400 / iSeries  <security400@xxxxxxxxxxxx>


To
Security Administration on the AS400 / iSeries <security400@xxxxxxxxxxxx>
cc

Subject
Re: [Security400] Allowing Someone to Create User Profiles...






You may need to use the swap profile API whose name escapes me at the 
moment (I'm at home but I think its something like QSYSGETPH)

If your user profile specifies a group profile then adopted authority will 

not be sufficient to create the profile as authority to a group profile 
cannot come from adopted authority - the profile performfng the operation 
need at least *USE (I think) to the group profile. Its all in the manual 
anyway :)

As an aside make sure you have a profile as a backup to QSECOFR with a 
combination of *ALLOBJ and *SECADMIN once you get to V5*; If Qsecofr gets 
disabled and your screw up your DST user you could be in big trouble....

Regards
Evan Harris


>Chuck Lewis wrote:
>
>>I am basically "it in IT" and when I am off, on the road or whatever and 
a
>>User Profile needs to be created it has to wait. I am VERY leery of 
giving
>>anyone other than maybe the CFO the authority to do this. So am I stuck 
?
>
>Haven't thought this all the way thru but how about:
>
>1) Create a skeleton user profile (no password) called CLONEME.
>2) Write a CL program CRTAUSER with 2 parms, USER and NAME.
>3) CRTAUSER adopts authority, does a RTVUSRPRF(CLONEME), and then does
>  a CRTUSPRF to create a new user.
>4) The CFO could then use this via a command interface.
>
>You could even have various skeleton users and pick from one.
>
>--
>Jeff Crosby
>Dilgard Frozen Foods, Inc.
>P.O. Box 13369
>Ft. Wayne, IN 46868-3369
>260-422-7531
>
>The opinions expressed are my own and not necessarily
>the opinion of my company.  Unless I say so.

_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400) 
mailing list
To post a message email: Security400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/security400.



This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].