Q: I restrict access to a library to limit the users that have authority to the objects in the library. Can I use a similar method to restrict access to a folder and limit access to the documents in the folder?
A:The security of folders does not work like the security of libraries. If a user is not authorized to a folder, the user cannot list the contents of the folder. However, if a user knows the fully qualified name of a document-for example, FLDR1/FLDR2/DOC-the user does not require authority to any of the qualifying folders. The only way to restrict access to the documents is to secure the documents.
I recommend use of the same authorization list to secure both the documents and the folder. If you secure a folder with an authorization list, then new documents added to the folder will automatically be secured by the authorization list. Documents currently in the folder will need to be secured using the Change Document Library Object Authority (CHGDLOAUT) command.
Q:User manuals for software products usually indicate that the security officer (QSECOFR) should perform the installation. Why is this so? Can another profile be used? If another profile is used, what is the minimum authority required for installs?
A:Installation instructions often call for the QSECOFR user profile because the application package may contain programs that adopt their owner's authority. When these programs are restored, OS/400 revokes all access to them unless the restoration is performed by a security officer or the owner of the programs.
If the user profile that installs the software has *ALLOBJ and *SECADM special authority, access to the adopting program is not revoked. IBM and other software vendors simplify the instructions by indicating that QSECOFR should install the software. In most cases, the profile responsible for the installation does not need to be QSECOFR. Any profile that has *ALLOBJ and *SECADM will suffice.
A second reason for the use of QSECOFR is that IBM and other software vendors usually test the install process using QSECOFR. They direct the customer to use this profile because they are confident the software will work smoothly if installed by the QSECOFR user profile.
Special considerations apply when you install changes to PC Support or OfficeVision/400-the user performing the installation must be enrolled in the system distribution directory. The QSECOFR user profile is automatically enrolled in the system distribution directory. If you elect to use another profile, you must enroll the alternate profile in the distribution directory.
If you want operations personnel to install a software package, you are faced with a dilemma. You probably will not want to give them access to a user profile that has *ALLOBJ and *SECADM special authorities. An alternative is to write a program that adopts a security officer's profile and prompts for a restore library command. You can write your own program or use the Restore Any Library (RSTANYLIB) command from library QUSRTOOL.
Q: How can I rename a user profile? The Rename Object (RNMOBJ) command does not allow the renaming of a user profile.
A:IBM does not support RNMOBJ for user profile objects because other objects reference the user profile, such as job descriptions and distribution directory entries. The following example shows how a security officer can create a profile with a new name which retains all the authorities of an existing user profile. The old profile name is OLDMARY the new user profile name is NEWMARY:
Sign on as a user that has *ALLOBJ and *SECADM special authority.
1. Use the Work with User Profile (WRKUSRPRF) command to display the Work with User Enrollment panel. Depending on how your system values and user profile parameters are set, you may need to press F21 and select the basic assistance level to view this screen. The difference between the Work with User Profile and Work with User Enrollment panels is that the enrollment panel gives you access to both user profiles and OfficeVision enrollments.
2. Select the copy option (option 3) to copy the old profile (OLDMARY) to the new profile (NEWMARY).
3. Give new profile NEWMARY all the private authorities of the old profile OLDMARY, using the Grant User Authority (GRTUSRAUT) command:
GRTUSRAUT USER(NEWMARY) + REFUSER(OLDMARY)
4. Change the ownership of any documents and folders owned by the old profile to the new profile using the Change Document Library Object Owner (CHGDLOOWN) command:
CHGDLOOWN OWNER(OLDMARY) + NEWOWN(NEWMARY)
5. Delete the old profile and transfer ownership of all other owned objects to the new profile. The Delete User Profile (DLTUSRPRF) command will change ownership of objects to the new profile and remove the old profile:
DLTUSRPRF USRPRF(OLDMARY) + OWNOBJOPT(*CHGOWN NEWMARY)