Admin Alert: The Dangers of User Profiles with Privileges
December 10, 2008 Joe Hertvik
Handling user profile authorities is one of the more critical i5/OS administrative duties. In particular, there are three crucial user parameters that must be set up correctly to prevent your users from inadvertently accessing objects and functions that they should not be using. Today, I’ll look at how you can work with these values to prevent several avoidable security pitfalls.
The Hierarchy of User Authority
Before you can work with user authorities, you must understand what they do. Here is the basic hierarchy of user profile security settings and how they relate to each other.
These values can be changed by using the green screen user profile commands or by using the Capabilities feature inside the iSeries Access (OpsNav) user properties screen. For this article, I’ll demonstrate how to manipulate these features by using OpsNav.
System Privileges–The Core Element
It’s important to understand that all user profile-based authorities are controlled through a user’s system privileges. Also known as special authorities, eight separate system privileges can be assigned to each user profile. These privileges can be individually assigned or they can be assigned as a group when the user profile is created or modified.
To work with a user’s system privileges, open the Users and Groups→All Users→user profile name node in OpsNav. On the user properties screen, click on the Capabilities button then click on the Privileges tab inside the Capabilities window. Under the settings that appear, you’ll be able to set the following system privileges for the user.
Besides using OpsNav’s user capabilities features, system privileges can also be set inside the green screen Create User Profiles (CRTUSRPRF) and Change User Profiles (CHGUSRPRF) commands. System privileges are called “special authorities” within these commands, each privilege has a slightly different name on the green screen commands, and privileges are changed in the command’s Special Authorities (SCPAUT) parameter list. Here’s a quick cheat sheet for how you map each system privilege to a special authority setting in the CRTUSRPRF and CHGUSRPRF special authorities list.