TAA Tools

The  Enable User  Profile  command is  intended  for trusted  personnel
that do  not have security  officer authority to change  a user profile
from  the disabled to the enabled state.   The typical command would be
entered as:

      ENAUSRPRF    USER(xxxx)

The disabled state  normally occurs when an  end user has exceeded  the
number  of  password  tries  at  a  terminal and  needs  to  retry  his
password.    The system  (based on  the  QMAXSGNACN system  value) will
prevent the user  from entering  a password  by automatically  changing
his  profile STATUS  attribute  to *DISABLED.    The CHGUSRPRF  command
must be entered to reset the user to the *ENABLED status.

Changing  a user profile normally  requires security officer authority.
The ENAUSRPRF command can be useful  in that it lets trusted  personnel
reset  the  profile.    This  is  achieved  by  adopting  the  security
officers profile.

To  use  ENAUSRPRF,  a   user  must  be  authorized  to  the  TAAENAUSR
authorization  list.  This authorization  list is automatically created
when the ENAUSRPRF  tool is created.   No user  (unless he has  *ALLOBJ
authority)  can  use  ENAUSRPRF   until  he  is  granted  authority  to
TAAENAUSR.  To grant authority, specify:


If  the Security Audit  Log exists (the  journal QAUDJRN  in QSYS), the
system will  automatically log  an entry  stating that  a user  profile
was  changed when  ENAUSRPRF  is  used.   The  journal  entry does  not
specifically  state what  the change was.   To  provide a  better audit
trail, a special journal entry is  sent (if the audit log exists)  with
CODE =  U and TYPE =  EN stating that  the ENAUSRPRF command  was used.
The  text of the  entry states  what user  profile was changed  and who
the user was that made the change.

If the audit journal does not exist, a message is sent to QHST.

Note  that  there  is no  capability  to  disable a  user  profile with

See also the TAA  Tool INZPWD for a  method of initializing a  password
in a similar manner.

The   WRKDSAUSR   also   requires   authorization  to   the   TAAENAUSR
authorization list.

Use with the TAADPTSEC Authorization List

An  alternative approach  is to  allow for multiple  assistant security
officers who can each  manage a set of unique  user profiles.  This  is
called a  'Departmental Security Officer'.   See the discussion  of the
TAADPTSEC authorization list in the SECOFR2 tool documentation.

Command parameters                                    *CMD

   USRPRF        The user profile to be enabled.




The  tool  is ready  to  use, but  a  user must  be  authorized  to the
TAAENAUSR authorization list.  EDTAUTL may be used or:


Objects used by the tool

   Object        Type       Attribute      Src member     Src file
   ------        -----      ---------      ----------     -----------

   ENAUSRPRF     *CMD                      TAASECL        QATTCMD
   TAASECLC      *PGM          CLP         TAASECLC       QATTCL

The TAAENAUSR authorization list is created  in QSYS to control who  is
authorized to the command.

Added to TAA Productivity tools April 1, 1995

Home Page Up to Top