Tweet
I have the special authority of *SECADM, therefore I can add and change user profiles. I have my profile setup that I belong to a group and the group owns all the objects which I create. Therefore all the profile which I have created belong to this special group. Should Qsecofr own or have rights to the profiles? Will I have problems??????? Should I change the owner and authority to include Qsecofr???
-
-
Should QSECOFR own all profiles???
claris, As a point of standardization, I have always granted object ownership of user profiles to QSECOFR. I don't know that this does or does not affect them. I created a program that is called when user profiles are created and the last step is to change object ownership to QSECOFR. I am curious to see the posts on this one. There may be underlying reasons for not doing what I say here. -bret -
Should QSECOFR own all profiles???
Claris, I do not think you would experience any authority problems, as QSECOFR should have *ALLOBJ and *SECADM special authority and therefore should be able to administer these profiles. One potential problem I wonder about is if you had to restore all of your profiles from a backup. Would the owner be changed to QDFTOWN for all of the profiles that are alphabetically lower than the owner's profile? Would this even cause a problem if it happened? Other than that, I do not think it matters. Mark PhippardComment
-
Should QSECOFR own all profiles???
Claris - You got my curiousity up so I checked my usrprfs. None are owned by QSECOFR. All of the Q usrprfs are owned by QSYS (except QPM400) and all of the 'user' usrprfs are owned by QPGMR (which makes sense since I created them and that's my group profile). Whether that's a good thing or not I don't know . . . JM.02, SteveComment
-
Should QSECOFR own all profiles???
Check the authority of the object, if your user class is not *secofr you may be giving public authority to the user profile object. If so, that is not a good thing. GregComment
-
Should QSECOFR own all profiles???
Steve,>... and all of the 'user' usrprfs are owned by QPGMR (which makes sense since I created them and that's my group profile). Whether that's a good thing or not I don't know . . .<<
That is probably a very bad thing. Because QPGMR owns those user profiles it means that QPGMR will have at least *USE authority to those user profile. This means that QPGMR or anyone that has QPGMR as a group profile can submit jobs to run under any of those user profiles. It also means that they could also get a profile handle for those user profiles and change their job to run under those user profiles. At a minimum you should those user profiles to be owned by QSYS, QSECOFR, or some other security officer user profile. Or, you could change the user profiles to be owned by themselves. You should also change the public authority of those user profiles to *EXCLUDE. Ed FishelComment
-
Should QSECOFR own all profiles???
Ed - "I" am QPGMR (I'm the only member of the group and QPGMR has password *NONE) and public authority is *EXCLUDE for all usrprfs (except QSPL and QNETSPLF) but I shall take your advice and change the owner to QSYS because you make good points. Thanks, SteveComment
-
Should QSECOFR own all profiles???
Claris, Should Qsecofr own or have rights to the profiles? Will I have problems??????? You will not have any problem regarding access to profiles by QSECOFR. Since QSECOFR has *ALLOBJ and *SECADM authorities, it will always have full access to all user profiles regardless who owns them. Should I change the owner and authority to include Qsecofr??? This is unnecessary. You will not have any problem as long as you have *ALLOBJ authority. If you do not have *ALLOBJ authority and you wish to change the ownerships, you can avoid problems in several ways: 1. sign-on as QSECOFR and specify CUROWNAUT(*SAME) as you change the ownership 2. sign-on as QSECOFR whenever you make changes to user profiles 3. give yourself *ALLOBJ authority (via QSECOFR)Comment
-
Should QSECOFR own all profiles???
Claris,>I have the special authority of *SECADM, therefore I can add and change user profiles.
I have my profile setup that I belong to a group and the group owns all the objects which I create. Therefore all the profile which I have created belong to this special group.<< This also means that all of the users in the group have access to everyone else's profile. If a user has *USE authority to someone else's profile, they can assume their identity. If you create profile's, and they are oowned by your group profile, then everyone in your group has the ability to assume the identity of any profile you have created.>Should Qsecofr own or have rights to the profiles?<<
QSECOFR already has rights to all profile, in your case, it is probably worth making QSECOFR the owner as well.>Will I have problems??????? <<
Once someone figures out how to assume another's identity, yes. jte MC Security EditorComment
-
Should QSECOFR own all profiles???
Ed Fischel, I wonder what Mark is wondering as well.....>One potential problem I wonder about is if you had to restore all of your profiles from a backup. Would the owner be changed to QDFTOWN for all of the profiles that are alphabetically lower than the owner's profile? <<
I remmebr running into this on the S/38 - is this still how things work? jteComment
-
Should QSECOFR own all profiles???
John,>I remmebr running into this on the S/38 - is this still how things work?<<
Yes, I believe that this is how it works. When the owning user profile is not on the system when an object, in this case another user profile, is restored that object will be owned by QDFTOWN. A good way to prevent this from happening is to have the user profiles owned by QSECOFR because that user profile will always be on the system. Having user profiles owned by themselves also appears to work. I assume that it works because at the time the restore function sets the objects owner the owner is on the system. Ed FishelComment
-
Should QSECOFR own all profiles???
Thanks Ed! jteComment
Comment