OS/400 group profiles are a boon to system administrators as they allow them to centralize object authority administration for several users in one place. A Group profile can be created in similar way as an user profile. While creating other user profile that are member of this group profile, mention the group profile name in group profile parameter(*GRPPRF).
Group profiles also have their downside and needs proper administration. Here are few industry best practices that we need to follow to avoid any loop-hole that can be a threat in security of the system.
1- Group profiles should not be allowed to sign-on to the system :- When a user is a member of a particular Group profile it inherits all the level of access that the Group profile has. Since, group profile provides authority access to all the member user profiles, it has object authority that is fixed for all the member profiles.By changing authority at group level it affects all the member profiles.
According industry best practices, it is not advisable to provide any user with group profile access. Therefore, the password of Group profile is set to *NONE. This restricts users to access the system using group profile.
CHGUSRPRF USRPRF(group profile name) PASSWORD(*NONE)
If you have a large number of group profiles in your system and you want to check which of them have any password, then use the below command.
DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT)
2- Group Profiles should not own production objects :- Object owners are super users for all the objects they own. They can change, delete and move objects. Therefore, Group profiles should not own production objects as that would give access to all the member profiles.
This problem is compounded when software package specifies that all authorized users must belong to the group profile that owns the application objects.
3- Group profile should not have ALLOBJ authority :- User profiles like QSECOFR must not be a group profile. Administration profiles that have *ALLOBJ authority when made a group profile will give *ALLOBJ authority to all its users thus enabling them to do anything with all the objects. And this itself violets the purpose of having Group profile to secure objects.
4- Supplemental group profiles :- One user can have more than one group profile. While creating user profile you can specify one name in *GRPPRF parameter and you can specify upto 15 other group profiles in supplemental group profile parameter. *SGRPPRF. This is required when one person can have access to more than one department and would need to have different object authority based on different departments.
How to remove member user profiles from a group profile?
At times, you would be required to remove the group profile from many member user profiles. To perform this when the number of user profiles is more, it is easier to do via Ops navigator than modifying each one through emulator.
Go to iSeries Navigator and expand User ->Group->Group node
Now expand the group profile and highlight the users for which you want to remove the group profile name. Right click and select remove group profile.
Delete Group Profile :-
If you want to delete a group profile , then first you have to remove all the user profiles that are member of this group profile and also check if the group profile owns any object. Once these are cleared you can remove the group profile from the system via 5250 or Ops Navigator.
Group profiles also have their downside and needs proper administration. Here are few industry best practices that we need to follow to avoid any loop-hole that can be a threat in security of the system.
1- Group profiles should not be allowed to sign-on to the system :- When a user is a member of a particular Group profile it inherits all the level of access that the Group profile has. Since, group profile provides authority access to all the member user profiles, it has object authority that is fixed for all the member profiles.By changing authority at group level it affects all the member profiles.
According industry best practices, it is not advisable to provide any user with group profile access. Therefore, the password of Group profile is set to *NONE. This restricts users to access the system using group profile.
CHGUSRPRF USRPRF(group profile name) PASSWORD(*NONE)
If you have a large number of group profiles in your system and you want to check which of them have any password, then use the below command.
DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT)
2- Group Profiles should not own production objects :- Object owners are super users for all the objects they own. They can change, delete and move objects. Therefore, Group profiles should not own production objects as that would give access to all the member profiles.
This problem is compounded when software package specifies that all authorized users must belong to the group profile that owns the application objects.
3- Group profile should not have ALLOBJ authority :- User profiles like QSECOFR must not be a group profile. Administration profiles that have *ALLOBJ authority when made a group profile will give *ALLOBJ authority to all its users thus enabling them to do anything with all the objects. And this itself violets the purpose of having Group profile to secure objects.
4- Supplemental group profiles :- One user can have more than one group profile. While creating user profile you can specify one name in *GRPPRF parameter and you can specify upto 15 other group profiles in supplemental group profile parameter. *SGRPPRF. This is required when one person can have access to more than one department and would need to have different object authority based on different departments.
How to remove member user profiles from a group profile?
At times, you would be required to remove the group profile from many member user profiles. To perform this when the number of user profiles is more, it is easier to do via Ops navigator than modifying each one through emulator.
Go to iSeries Navigator and expand User ->Group->Group node
Delete Group Profile :-
If you want to delete a group profile , then first you have to remove all the user profiles that are member of this group profile and also check if the group profile owns any object. Once these are cleared you can remove the group profile from the system via 5250 or Ops Navigator.
Good Information.. Thanks a lot for sharing
ReplyDelete