Clicky

Hopefully someone could help me with the following two issues.

1. If i create a user (i'm qsecofr) then another user who is secadm can't see them when they go to wrkusrprf. How can we make it so he can always see all users without having to go to each user i've created and giving him access?

2. As qsecofr i can only sign in to named devices. we use the emulator and i can sign into "mycompa1" but if it's "mycompa2" i can't without granting me *all. I'd like to grant *all to a generic device name like "mycomp*" but i'm not sure how to do it. I know it can be done however.

asked 11/18/2011 01:46

chemdry's gravatar image

chemdry ♦♦


4 Answers:
Hi Chemdry,

Add to his profile the Special authority (SPCAUT) *SECADM

But before you do, you have to know:
*SECADM
When security administrator authority is given to the user. The user can create, change, or delete user profiles if authorized to the Create User Profile (CRTUSRPRF), Change User Profile (CHGUSRPRF), or Delete User Profile (DLTUSRPRF) commands and is authorized to the user profile. This authority does not allow giving special authorities that this user profile does not have. To give *SECADM special authority to another user, a user must have both *ALLOBJ and *SECADM special authorities.

Regards,
Murph
link

answered

murphey2's gravatar image

murphey2

Your question Part 2,

Check if you have *ALLOBJ as special authority.
link

answered 2011-11-19 at 02:04:59

murphey2's gravatar image

murphey2

Hi Chemdry,

I didn't read your question good enough, "I can sign into "mycompa1" but if it's "mycompa2" i can't"

What user do you use for the first login (the popup window)?
That is the user that is opening your session (and need the device)

So if you can use "Compa1" and you can't use "Compa2" I assume they from 2 different owners.
Just remove the Devd and try it again.


link

answered 2011-11-19 at 02:07:47

murphey2's gravatar image

murphey2

How can we make it so he can always see all users without having to go to each user i've created and giving him access?

As Murph noted, one possibility is to give the *SECADM user *ALLOBJ. That might be directly given or it might be supplied through a group profile that the *SECADM user is made a member of (which is effectively the same result).

You could also create a program that was compiled as USRPRF(*OWNER) and have the program access those profiles. Grant the *SECADM user the authority to run the program. That way, the *SECADM user doesn't need to have added authority. The program can take action according to what you code into it, and it only needs to use its own authority. Make sure that it is owned by a profile that has sufficient authority.

But perhaps the real answer is that (1) QSECOFR should not be signed on to in the first place, and (2) the *SECADM user should be the one creating the profiles. There wouldn't be a problem then. Why create a *SECADM user if the user isn't going to do the work.

I'd like to grant *all to a generic device name like "mycomp*" but i'm not sure how to do it.

You can use the CHGAUT command to grant authorities to generic* object names.

Note that it will only grant authority to objects that exist. The authority won't apply to a "mycomp*" device that is created tomorrow.

Tom
link

answered 2011-11-19 at 02:19:12

tliotta's gravatar image

tliotta

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×1
×1
×8
×4

Asked: 11/18/2011 01:46

Seen: 298 times

Last updated: 11/28/2011 12:39