Who should create user profiles?

On Tuesday, February 10, 1998, 04:55 AM, Steve Breitenbach wrote: We are a small shop. We have one AS/400 that three companies use. Currently, we have one person creating user profiles for all three companies. This has not been a problem, but we are getting a request from our sister companies, who would like someone at their site to be able to create user profiles for their site. I would like to keep this function centralized, but need some valid reasons as to why. My question is this: Am I correct in thinking that this function should be centralized and should only be done by one person (with a back up person at my site, should I get hit by a train on the way to work), or is there no problem in allowing someone at each site to be able to create user profiles for their company? I would need some valid reasons for either solution.

---

Steve, I have kept the function centralized in my shop for several reasons: 1) To ensure proper naming conventions are used. I use a standard of xxxyyy, where xxx is the user's department and yyy is the person's initials. 2) To ensure that each user is assigned a group profile unique to their department. This allows you to restrict authority by work department. 3) To make sure the use of special authorities such as *ALLOBJ, *SECADM, *JOBCTL, *SPLCTL, *SERVICE, etc. are restricted. 4) To make sure that Limit Capabilities *YES is specified for all non-IS users. This prevents users from keying in system commands on a command line. 5) I always assign specific job descriptions and output queues. The bottom line is if you are going to have a standard, it is easier to enforce under centralized control. Mark McCall

Who should create user profiles?

On Tuesday, February 10, 1998, 04:55 AM, Steve Breitenbach wrote: We are a small shop. We have one AS/400 that three companies use. Currently, we have one person creating user profiles for all three companies. This has not been a problem, but we are getting a request from our sister companies, who would like someone at their site to be able to create user profiles for their site. I would like to keep this function centralized, but need some valid reasons as to why. My question is this: Am I correct in thinking that this function should be centralized and should only be done by one person (with a back up person at my site, should I get hit by a train on the way to work), or is there no problem in allowing someone at each site to be able to create user profiles for their company? I would need some valid reasons for either solution. Thanks, Steve Breitenbach Steve, I have worked for clients using both environments, based on this I would say that decentralised administration is by far the most productive for the business. In one, that I help implement, it was a tough battle to get the IT organisation to see their role was to provide the infrastructure to define and enforce security policy. Typically IT shops translate this to they must therefore administer the creation/deletion/modification of security profiles. In the decentralised environment we developed an infrastructure that enabled the business manager at the site to define new employees to applications and their access to levels within the application. The menu system enforced the security policies. It also enabled the business manager to manage the employee's access. Central IT's role became one of auditing the process and the output created. The Business Managers got a benefit as new employees could be registered immeditaley...no sending faxes, waiting on the telephone, trying to track down the systems administrators. If a team leader was rostered off or away sick, the business manager could temporarily alter another employee to have the team leader access. Bottom line is the business managers had control over the process that was linked to their business. The centralised IT staff were also happier, once they saw no more getting paged to perform trivial tasks such as creating or modifying a user profile. My vote would be to have centralised administration and audit of policy, but not the centralisation of the process. I have seen Mark's append and would see his reasons are control of policy and not really reason for centralisation of administration......But my experiences have been this can be a very political area ! Before you make a decision, why not discuss the options/consequences with the Business Managers ?

Who should create user profiles?

Stick to your guns, all profiles should be in hands of 1 person plus 1 backup. Prreferably this person is also the only one with Qsecofr also. In the world of the clueless, he with half a clue is King. Karl Lauritzen Second VP Project Development National Lloyds Ins