TAA Tools
CPYUSRPRF2      COPY USER PROFILE 2                    TAASEDR

The Copy  User Profile 2 command  is an option  on the SECOFR2  menu to
allow a  user (such as an  Assistant Security Officer) to  create a new
profile  by copying an  existing profile.  The  user must be authorized
to the TAACPYUSR2 authorization list.

A typical command would be:

             CPYUSRPRF2    FROMUSRPRF(aaa) TOUSRPRF(bbb) +

Most attributes  of  the  'from user  profile'  are copied.    Auditing
values are copied using the CHGUSRAUD command.

The  PASSWORD  prompt  defaults  to  allow either  *NONE,  *USRPRF,  or
*RANDOM  (a  random  value).   The  PWDEXP  parameter  is automatically
specified as *YES if the password  is set to *USRPRF.  This forces  the
user to change  the password on the  first signon.  If  the password is
set  to *RANDOM, then  password is expired  as specified on  the PWDEXP

The random password  function uses the  TAA INZPWD command  internally.
The completion message  describes the random  password.  This  allows a
further  option  to disable  the  user  profile if  the  user does  not
signon  during  the  same  day.    See  the  INZPWD  tool  for  further

The PASSWORD  parameter  may be  fixed to  *NONE,  *USRPRF, or  *RANDOM
which prevents a  change by the user.  See  the discussion of 'Changing
the PASSWORD default'.

The  Security  Officer  determines  if a  user  of  CPYUSRPRF2  will be
allowed to copy  a user profile  that has special  authorities such  as
*JOBCTL or  *ALLOBJ.   By default,  a user  profile which contains  any
special  authorities cannot  be used  to  copy from.   For  example, it
would generally not be desirable  to let an Assistant Security  Officer
make a copy of the QSECOFR profile.

The  Security Officer  can  use the  EDTCONARR  command to  change  the
CPYUSRPRF2   data  area   in   TAASECURE  to   specify   which  special
authorities  may  exist to  allow a  copy to  be made.   See  the later

CPYUSRPRF2 is an  option on the SECOFR2  menu.  CPYUSRPRF2 is  intended
as  a convenient  method  of cloning  an  existing user  profile.   The
CHGUSRPRF2 tool could then be used to tailor the user profile.

After  creating  the user  profile,  CHGOBJOWN  is used  to  change the
owner to QSECOFR.   The CPYUSRPRF user retains  all rights to the  user
profile.   Changing to  QSECOFR as  the owner  is done  to prevent  the
problem  in a disaster recovery  situation where the name  of the owner
of the profile comes later in  the alphabet than the user profile  that
was created.  System  profiles are restored first followed  by the user
created profiles  in alphabetical order.   If user  BBB creates profile
AAA,  the AAA user profile is restored  without BBB being on the system
and the owner would become QDFTOWN.

Changing the PASSWORD default

By default,  the PASSWORD  parameter is prompted  for and  the user  is
allowed to  enter *NONE, *USRPRF,  or *RANDOM.   You may choose  one of
the  values and prevent  the user  from making a  change by  use of the
CPYUSRPRF2 Application Value.  As an *ALLOBJ user, enter:


The shipped default  is *DFT which  means the user  of the command  may
choose  either  *NONE,  *USRPRF,  or   *RANDOM.    By  entering  *NONE,
*USRPRF,  or   *RANDOM,  the  choice  is  removed   from  the  user  of

Use with the TAADPTSEC Authorization List

An alternative approach  is to  allow for  multiple assistant  security
officers who can  each manage a set  of unique user profiles.   This is
called a  'Departmental Security Officer'.   See the  discussion of the
TAADPTSEC authorization list in the SECOFR2 tool documentation.

Differences with the CPYUSRPRF tool

The  CPYUSRPRF TAA Tool is intended to be  used in a CL program that is
invoked by  the  Security  Officer or  in  a  program that  adopts  the
Security  Officers  profile.   The  command  requires  the user  to  be
authorized to the CRTUSRPRF command.

CPYUSRPRF2  is  a  similar function,  but  is intended  to  be  used by
Assistant  Security  Officers   and  is  controlled   by  use  of   the
TAACPYUSR2 authorization list.

Copying from user profiles with groups and supplemental groups

If group profiles  or supplemental groups exist with the  profile to be
copied,  the  user performing  the  copy must  be  authorized  to these

Copying from user profiles with special authorities

By default,  CPYUSRPRF2 will  not  allow copying  from a  user  profile
that  contains any  special  authorities such  as  *JOBCTL or  *ALLOBJ.
This  occurs because  no special  authorities are  shipped in  the data

If  the Security  Officer determines  that it  should be valid  to copy
from a  user profile that  contains a  special authority, that  special
authority must be entered into the CPYUSRPRF2 data area.

The EDTCONARR TAA Tool should be used as:


An  edit  display  will  appear.     Each  special  authority  that  is
considered  valid should  be  entered.   The value  entered must  be in
upper case and appear exactly  as the special authority appears in  the
profile such as:


If both  *JOBCTL and  *SPLCTL are entered,  it would  be valid  to copy
from a  user profile that had either or both.   However, a user profile
that contained either or both  plus another special authority (such  as
*SERVICE) could not be used.

In  general,  the  Security Officer  should  not  include  the  special
authorities  *ALLOBJ,  *SECADM,   and  *SERVICE.    Any  user  profiles
requiring this level of control should be created manually.

Changing the text of the CPF1118 message for 'No password'

If  you create profiles  with the default  of PASSWORD(*NONE), when the
user signs on he will see the message:

          CPF1118 No password associated with user xxx.

It is  possible  to  change the  text  of  this message  by  using  the
WRKMSGD command:

          WRKMSGD      MSGID(CPF1118)

Use Option 2 to see the current message text.

You may  want to add  to the First level  message text '...   with user
&1.  Call the Help Desk Xnnnn.'

Changing  the  message  text  must be  done  for  each  release  of the
operating  system.   You  could  have  a  CL  program  that  makes  any
required changes on  each new release and use the  CHGMSGD command such

          CHGMSGD      MSGID(CPF1118) MSGF(QCPFMSG) +
                         MSG('No password associated with +
                         user &1.  Call the Help Desk Xnnnn.')

Command parameters                                    *CMD

   FROMUSRPRF    The  from user  profile to  be used as  a base.   Most
                 meaningful parameters will be copied.

   TOUSRPRF      The  new  profile  to   be  created.    The   PASSWORD
                 parameter is set  to the same  name as the user.   The
                 PWDEXP parameter  is set to *YES to  force the user to
                 change the password at the next signon.

   PASSWORD      The password to be assigned.

                 The   default  may  be  fixed  by  an  option  in  the
                 CPYUSRPRF2  Application  Value  in  TAASECURE.    This
                 prevents the user from changing the value.

                 The  shipped  default  for  the Application  Value  is
                 *DFT  which  cause  the command  prompt  to  be filled
                 with *NONE, but the values  *USRPRF or *RANDOM may  be

                 *NONE means the  profile may not be signed  onto.  The
                 intent  of *NONE is  to avoid creating  a user profile
                 with an  obvious password  that may  not be  used  for
                 some time.

                 When the  user attempts to  signon, a  specific system
                 message  (CPF1118) describes  that the  profile cannot
                 be  signed onto.   If the user calls  a help desk, the
                 help  desk  can   use  the   TAA  INZPWD  command   to
                 initialize the  password to  the user profile  name or
                 a  random password.  The user  can then signon, but is
                 required to change his password immediately.

                 It is possible to change  the message text of  CPF1118
                 to your situation.  See the previous discussion.

                 *USRPRF may  be specified  to create the  profile with
                 a  password of  the same  value  as the  profile name.
                 When the user signs on,  he is required to change  his
                 password immediately.

                 *RANDOM  may   be   entered  to   generate  a   random
                 password.   This uses the TAA INZPWD  tool to generate
                 the  random  password.    The  password  expiration is
                 then set to the  value of the PWDEXP keyword.   INZPWD
                 also provides  an option  to disable the  user profile
                 if  the  user does  not  signon during  the  same day.
                 See the discussion with the INZPWD tool.

                 Note that the  password parameter  does not allow  the
                 entry  of  a  value  other  than  *NONE,  *USRPRF,  or
                 *RANDOM.   The user of the  command cannot enter other
                 characters to make a specific password.

   TEXT          The  text  description  of  the  new  profile  to   be

   PWDEXP        Ignored unless  PASSWORD(*RANDOM) is  used.  If  *YES,
                 then  set the  password to  expired  so the  user must
                 change  it on  first use.   If *NO,  then the randomly
                 generated password  can  be  used  to sign  on.    The
                 default is *YES.

   CHGOWN        Specifies  if  CHGOBJOWN  should  be run  to  transfer
                 ownership  of   the  newly  created  user  profile  to
                 QSECOFR.   If *YES,  then the  owner  will be  QSECOFR
                 for  disaster   recovery  reasons.     See   the  full
                 documentation  for  the tool  to see  when  this might
                 apply.  If *NO, then the  owner of the new profile  is
                 the default owner.  The default is *YES.


Not  all of  the  attributes of  the  user profile  are  copied.   Some
parameters  make no  sense to  copy as  the  system creates  new values
such  as  MSGQ,  GID,  and  UID.   Some  parameters  such  as SUPGRPPRF
(supplemental group profiles) are not supported.


The following TAA Tools must be on your system:

     CHKAPOST        Check apostrophes
     INZPWD          Initialize password
     RTVSPCAUT       Retrieve special authorities
     SNDCOMPMSG      Send completion message


None, the tool is ready to use.

If the Security  Officer wants to allow  copying of user profiles  that
contain  special  authorities,  they   must  be  entered  as  described

Objects used by the tool

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   CPYUSRPRF2    *CMD                   TAASEDR       QATTCMD
   TAASEDRC      *PGM       CLP         TAASEDRC      QATTCL
   TAASEDRC2     *PGM       CLP         TAASEDRC2     QATTCL

TAASEDRC2  is a prompt override program  to supply the text description
from the Copy From user profile.

Added to TAA Productivity tools December 1, 1996

Home Page Up to Top