Since, we need to have a user profile to get access to AS400, lets now discuss AS400 user profile and all its feature.
Create AS400 User profile :-
The administrator with *SECADM, *CHANGE and *USE authority has rights to create a new AS400 user profile.
User profiles can be created through two interfaces. You can use the green-screen Create User Profile command (CRTUSRPRF) or you can use iSeries Operations Navigator's (OpsNav) user profile function. For this, I'll use the traditional CRTUSRPRF interface but all of these options are also configurable through the OpsNav interface.
This is how the screen would look when you type in the command CRTUSRPRF and press prompt,
Create AS400 User profile :-
The administrator with *SECADM, *CHANGE and *USE authority has rights to create a new AS400 user profile.
User profiles can be created through two interfaces. You can use the green-screen Create User Profile command (CRTUSRPRF) or you can use iSeries Operations Navigator's (OpsNav) user profile function. For this, I'll use the traditional CRTUSRPRF interface but all of these options are also configurable through the OpsNav interface.
This is how the screen would look when you type in the command CRTUSRPRF and press prompt,
Parameters that are essential :-
1- User profile name :- Provide user profile name this takes up 10 character long user name.
2- User Password :- This is by default set to same as the user profile and can be set to a different one.
3- Set Password to Expire :- This enables Admin to compel the user to change the password after first log in when set to *YES.
4- User Class :- The user class you choose will determine whether the user has normal system
authorities or whether they can perform additional tasks normally reserved for
higher-level users. Your choices for user class are the following:
- User (*USER) - An ordinary user with no special system authorities.
- System Operator (*SYSOPR) - The user has the ability to perform system backups (*SAVSYS authority) and control system jobs (*JOBCTL authority).
- Programmer - The user has no special system authorities beyond that of a normal user.
- Security Administrator (*SECADM) - The user can create, change, or delete other user profiles.
- Security (*SECOFR) - The user possesses all system authorities, and he can perform any task on the system. But beware. Many shops are too loose with *SECOFR authority. In general, it should be reserved for one or two trusted people in the IT department and that's it.
5- Intial Program to Call, Intial Menu - Both of these parameters determine which program will be called when the user log in. By providing different INLPGM & INLMNU options users could be restricted to enter the Main menu.
6- Limit Capability :- LMTCPB parameter tells the OS400 two things. First, it tells the OS400, if the user can make changes to ITLPGM, ITLMNU and current library values. Secondly, it says the OS400 if the user has access to command line.
When it is set to *NO, the user can make changes to ITLPGM, ITLMNU , current library and ATTN key values and also it can use the command line to run AS400 commands.
When it is set to *PARTIAL, the USER cannot make any changes to ITLPGM, ITLMNU, current library and ATTN key value but it has access to command line and can run AS400 commands.
When it is set to *YES, the user has neither access to make any changes to ITLPGM, ITLMNU and current library nor it can access command line.
These three parameters ITLPGM, ITLMNU and LMTCPB have ability to restrict users. For example, for the server users who do not require to access the green screen 5250 emulator, can have ITLPGM as *NONE, ITLMNU as *SIGNOFF and LMTCPB as *YES. They can still access AS400 from other server which are connected to AS400. However, if the same user tries to access the AS400 from 5250 emulator, it will immediately bring the user to signoff screen thus restricting access to AS400 and command line.
7- Special Authorities :- SPCAUT - Special authorities work hand-in-hand with the profile's user class. User profiles with a user class of System Operator (*SYSOPR) are automatically
assigned the special authority to save and restore system objects and to control
system jobs. Users who are designated as Security Officers (*SECOFR) can perform
any and all restricted functions on the system. For all other users, you can
assign one or more of the following special authorities to a user
profile:
- All object (*ALLOBJ) authority allows the user to access any system resource, regardless of whether or not they are explicitly authorized to use that object. Because *ALLOBJ basically gives users to update any item on the system, this special authority should be given out only on a need-to-have basis.
- Audit (*AUDIT) allows the user to perform all auditing functions on the system, including turning on and turning off auditing.
- Job Control (*JOBCTL) allows the user to perform any function (change, hold, delete, release, etc) on any jobs that are currently running on the system or for jobs that are sitting in a system job queue. In addition, the user has the ability to start OS/400 writers and remote output queues, and to stop active subsystems. Like *ALLOBJ, you may want to restrict access to *JOBCTL authority.
- Save system (*SAVSYS) authority allows the user to save, restore, or free storage for all objects on the system, regardless of whether or not the user has object management authority to those objects.
- Input/output (I/O) system configuration authority (*IOSYSCFG) gives the user the ability to change system I/O configurations.
- Security Administrator authority (*SECADM) allows a user to add, change, or delete user profiles on the system. The user must be authorized to the user profile commands (CRTUSRPRF, DLTUSRPRF, and CHGUSRPRF) to use this authority. The catch here is that a security administrator user cannot assign any special authorities to another user that it does not itself already have.
- Spool control authority (*SPLCTL) allows a user to work with printers and writers.
8- Password expiration interval parameter - (PWDEXPITV) tells OS/400 how often (in days) the user should be forced to change
their password. If the user has not changed his password by the end of the
PWDEXPITV interval, the user profile password will automatically expire.
- Any number between 1-366 days. If password expiration is set for a user, OS/400 will not allow passwords to remain active for more than one year.
- No expiration date (*NOMAX) tells OS/400 that the password will remain active forever unless the user voluntarily changes it or the system administrator changes it.
- Use the Password Expiration Interval system value (*SYSVAL). This setting tells OS/400 to use the value for password expiration days found in the Password expiration interval system value (QPWDEXPITV). This is the default value for the PWDEXPITV parameter. If you decide to use *SYSVAL, check what value QPWDEXPITV is set to, because OS/400 sets the password expiration interval system value to a default value of *NOMAX.
No comments:
Post a Comment