Creating User Profiles on the IBM i

Before a user can sign on and use the IBM i, a user profile must be created and assigned to the user.

We create user profiles using the Create User Profile command, CRTUSRPRF. Only the security officer profile, QSECOFR, or another profile that has security administrator special authority, *SECADM, can create, change, or delete user profiles.

The user profile parameter, USRPRF, is the only required parameter and is meant to hold the user profile name decided on for the new user. For example, to create the user profile THX1138, we enter the command CRTUSRPRF USRPRF(THX1138). We can then verify that the user profile has been created by issuing the command DSPUSRPRF USRPRF(THX1138). Doing this, we can see that there are in fact a cornucopia of options for creating and defining a user profile, which in this case were filled out using the defaults for the CRTUSRPRF command.

A password is assigned at the time of creation of the user profile. The Password parameter, PASSWORD, allows us to set a password for a new user. The default value for this parameter is *USRPRF, which dictates that the password be the same as the user profile name. The *NONE special value makes it so that the user cannot in fact sign in to the system; this is recommended for workers who have are on vacation, or have recently left the organization. For example, to create a user profile, LASERVAULT, that cannot be logged in to, we would issue the command CRTUSRPRF USRPRF(LASERVAULT) PASSWORD(*NONE).  

To test this, let’s issue the SIGNOFF command to sign out of our current user profile. At the log in screen, first we attempt to log in as the LASERVAULT user, where we are greeted with the message “No password associated with user LASERVAULT”. Next, we sign in as the user THX1138, remembering here that the username and password are the same. Finally, we sign out again using the SIGNOFF command, then sign back in as with our regular user profile.

The password length is determined by two system values, the Password Maximum Length system value, QPWDMAXLEN, and the Password Minimum Length system value, QPWDMINLEN. To display the minimum length allowed for a password, we execute the command DSPSYSVAL SYSVAL(QPWDMINLEN). A value from 1-10 is allowable, but the longer the password, the better.

The Set Password to Expired parameter, PWDEXP, lets us set the password for a specific user profile to be expired. The two values we can use for this parameter are simply *YES and *NO. When the password is set to expired, the user profile will be prompted to enter a new password when they sign on. When creating a new profile, administrators usually set the PWDEXP field to *YES to indicate that the password should be changed by the user when they sign on. To create a user profile HAL9000 that will have to create a new password after signing on to the system, we issue the command CRTUSRPRF URSPRF(HAL9000) PWDEXP(*YES).

We can then test the effectiveness of the PWDEXP(*YES) parameter by singing off from our user profile via the SIGNOFF command and singing in as HAL9000, remembering here that by default the password is the same as the user profile name. As soon as we sign in we are taken to the Change Password screen. We can also access this screen, and change  our password, by issuing the Change Password command, CHGPWD.

The Profile Status parameter, STATUS, specifies whether a user profile is enabled or disabled for sign-on. The STATUS parameter can be either *ENABLED, in which case the system allows the user to sign on to the system, or *DISABLED, in which case the system will not allow the user to sign on until an authorized user re-enables the profile by changing the value to *ENABLED.

The special authorities parameter, SPCAUT, is used to assign the special authorities to a user. Special authorities are needed to perform certain functions on the system. The all object authority, *ALLOBJ, grants the user the authority for accessing any system resource. The security administrator authority, *SECADM, grants the authority to create or change user profiles. The save system  authority, *SAVSYS, is used to save, restore, and free storage for all objects on the system. The job control authority, *JOBCTL, is used to change, display, hold, release, cancel, clear all jobs that are on the system, and stop active subsystems. The service authority, *SERVICE, allows the user to perform system service functions, such as save and restore. The audit authority, *AUDIT, allows the user to change the system values that control auditing, as well as change the auditing for specific objects and users. Finally, the spool control authority, *SPLCTL, grants the user the ability to manipulate other user’s spooled files.

The two other special values for the SPCAUT parameter are *NONE, where no special authorities are granted, and *USRCLS, where special authorities are given based on the value entered in the user class parameter.

The user class parameter, USRCLS, specifies the type of user to associate with the user profile. The possible values are security officer, *SECOFR, security administrator, *SECADM, programmer, *PGMR, system operator, *SYSOPR, and user, *USR. The user classes represent convenient ways to assign special authorities to different types of users. When we assign user profiles to classes, the profiles inherit the special authorities associated with the class. The security officer, *SECOFR, is granted all object authority, security administrator authority, save system authority, job control authority, and spool control authority. The security administrator, *SECADM, is given security administrator authority. The system operator, *SYSOPR, is given save system authority and job control authority. The programmer and user classes, *PGMR and *USER, are given no special authorities.

As an example, we can create a user, PLYRONE, and assign them to the user class by issuing the command CRTUSRPRF USRPRF(PLYRONE) USRCLS(*USER). We can then use the DSPUSRPRF command to verify that the user PLYRONE has been assigned to the *USER class.

The Initial Menu parameter, INLMNU, indicates the name of the menu that is shown when the user signs on to the system. The default value for the Initial Menu parameter, INLMNU, is MAIN. As an example, let’s say we wanted to define a user profile for doing backups. We could assign such a user to the system operator class, *SYSOPR, and assign them the Backup menu, BACKUP, as their initial menu. To do this, we would issue the command CRTUSRPRF USRPRF(BCKUPMGR) USRCLS(*SYSOPR) INLMNU(BACKUP). Signing in as the user BCKUPMGR takes us directly to the BACKUP menu, which we can exit by pressing F9.

UBD (Universal Backup Device) is a backup appliance that plugs into your IBM i and appears as a tape device http://laservault.com/lv-ubd/iseries-tapeless-backup-and-restore/

Advertisements
Creating User Profiles on the IBM i

Displaying User Profiles

To the IBM i, a user profile is an object. The name of the user profile is the name the user needs to enter in order to sign on to the system. The attributes of a user profile object define the user to the system. User profiles have the object type *USRPRF. All user profiles reside in the system library QSYS, so as to ensure there are no duplicate user profiles in the system.

To quickly list the names of all the authorized system users, issue the Display Authorized Users command, DSPAUTUSR. Note that while this command primarily lists the user profile’s object name, a user profile is much more than just a name and an associated password.

A user profile contains a whole series of system information within it – the password, the initial menu to be displayed, the initial program to be called, special authorities, etc. The system security draws upon the user profile to verify the user’s authorization to sign on, run programs, read or update files, and perform certain tasks. To view this information, we can issue the Display User Profile command, DSPUSRPRF. We name the user profile we wish to view with the USRPRF parameter.

The QSYSOPR user profile comes with the system. We can sign on as QSYSOPR whenever we need to perform important system operator tasks, such as backing up and restoring libraries, or powering down the system. We can view the details of the QSYSOPR user profile by issuing the command DSPUSRPRF USRPRF(QSYSOPR).  Entering this command takes us to the Display User Profile – Basic screen, which lists a multitude of information.

The User Profile attribute shows us the name assigned to the user profile; in other words, the user ID.

The User Class attribute indicates the type of user associated with this user profile. There are five classes of user on the IBM i. The possible values for this attribute include Security Officer, *SECOFR, Security Administrator, *SECADM, Programmer, *PGMR, System Operator, *SYSOPR, and User, *USR. The *SECOFR class is given all object authority, security administrator authority, save system authority, job control authority, service authority, and spool control authority. The *SECADM class is given security administrator authority, save system authority, and job control authority.  The *PGMR and *SYSOPR classes are given save system authority and job control authority. The *USER class is given no special authorities. The QSYSOPR user profile’s class type is *SYSOPR. If we run the command DSPUSRPRF USRPRF(QSECOFR), we can see that the QSECOFR user profile’s class type is *SECOFR.

The Special Authority attribute lists the special authorities granted to a user. Special authorities are necessary for performing certain functions on the system. The Save System special authority, *SAVSYS, grants the ability to save, restore, and free storage for all objects on the system. The Job Control special authority, *JOBCTL, gives the power to change, display, hold, release, cancel, and clear all jobs that are running on the system or that are on a job or output queue. The Security Administrator special authority, *SECADM, grants the authority to create or change user profiles. The Service special authority, *SERVICE, allows the user to perform system service functions, such as save and restore. The All Object special authority, *ALLOBJ, grants the user the authority to access any system resource.The QSYSOPR user profile has both *SAVSYS and *JOBCTL special authorities. Note that the special authorities for the QSECOFR user profile cannot be removed.

Note that if we press Enter after running DSPUSRPRF USRPRF(QSYSOPR), we return to previous screen. By default, the DSPUSRPRF command displays the basic information contained in a user profile. To view all of the information for a user profile, we would use the TYPE parameter, and specify *ALL. For example, issuing the command DSPUSRPRF USRPRF(QSYSOPR) TYPE(*ALL) brings us to the Display User Profile – Basic screen, however if we press Enter, instead of being taken back to the previous screen, the Display Authorized Commands screen is presented. If we press Enter again, the Display Authorized Devices screen is shown, followed by the Display Authorized Objects screen, the Display Owned Objects screen, and then finally the Display Primary Group Objects screen.

To view the Display Authorized Commands screen directly, we can issue the DSPUSRPRF command with the parameter TYPE(*CMDAUT). The Display Authorized Commands screen shows us the commands that the user profile is allowed to execute.

To view the Display Owned Objects screen directly, we issue the command DSPUSRPRF with the parameter TYPE(*OBJOWN). The Display Owned Objects screen lists all the objects owned by a user profile; on most IBM i systems, the majority of objects are owned by a handful of user profiles. As an example, let’s display all of the objects owned by the QSYSOPR user profile by issuing the command DSPUSRPRF USRPRF(QSYSOPR) TYPE(*OBJOWN).

The QSYSOPR user profile is one of several IBM-supplied user profiles, known as default profiles, each of which starts with the letter Q. To quickly view all of the IBM-supplied user profiles on the system, we issue the command WRKUSRPRF USRPRF(Q*). The seven most famous of these profiles are QSECOFR, QPGMR, QSYSOPR, QUSR,  QSRV, and QSRVBAS. Note that the QSRV and QSRVBAS profiles are special profiles for IBM technicians to use when servicing the IBM i.

IBM-supplied user profiles can be overused. For example, the QSECOFR user profile is often unnecessarily set as the owner of an application, thus bloating the QSECOFR user profile and, more seriously, leading to potential security concerns. To see how many objects the QSECOFR user profile is the owner of, enter the command DSPUSRPRF USRPRF(QSECOFR) TYPE(*OBJOWN).

Wanting to get the most out of your IBM i investment? Take a look at www.laservault.com, the friendly IBM backup solution.

Displaying User Profiles