ENAUSRPRF -- Enable User Profile

ENAUSRPRF ENABLE USER PROFILE TAASECL
The Enable User Profile command is intended for trusted personnel that do not have security officer authority to change a user profile from the disabled to the enabled state. The typical command would be entered as: ENAUSRPRF USER(xxxx) The disabled state normally occurs when an end user has exceeded the number of password tries at a terminal and needs to retry his password. The system (based on the QMAXSGNACN system value) will prevent the user from entering a password by automatically changing his profile STATUS attribute to DISABLED. The CHGUSRPRF command must be entered to reset the user to the ENABLED status. Changing a user profile normally requires security officer authority. The ENAUSRPRF command can be useful in that it lets trusted personnel reset the profile. This is achieved by adopting the security officers profile. To use ENAUSRPRF, a user must be authorized to the TAAENAUSR authorization list. This authorization list is automatically created when the ENAUSRPRF tool is created. No user (unless he has ALLOBJ authority) can use ENAUSRPRF until he is granted authority to TAAENAUSR. To grant authority, specify: ADDAUTLE AUTL(TAAENAUSR) USER(xxxxxx) AUT(USE) If the Security Audit Log exists (the journal QAUDJRN in QSYS), the system will automatically log an entry stating that a user profile was changed when ENAUSRPRF is used. The journal entry does not specifically state what the change was. To provide a better audit trail, a special journal entry is sent (if the audit log exists) with CODE = U and TYPE = EN stating that the ENAUSRPRF command was used. The text of the entry states what user profile was changed and who the user was that made the change. If the audit journal does not exist, a message is sent to QHST. Note that there is no capability to disable a user profile with ENAUSRPRF. See also the TAA Tool INZPWD for a method of initializing a password in a similar manner. The WRKDSAUSR also requires authorization to the TAAENAUSR authorization list. Use with the TAADPTSEC Authorization List ----------------------------------------- An alternative approach is to allow for multiple assistant security officers who can each manage a set of unique user profiles. This is called a 'Departmental Security Officer'. See the discussion of the TAADPTSEC authorization list in the SECOFR2 tool documentation. Command parameters CMD ------------------ USRPRF The user profile to be enabled. Prerequisites ------------- None. Implementation -------------- The tool is ready to use, but a user must be authorized to the TAAENAUSR authorization list. EDTAUTL may be used or: ADDAUTLE AUTL(TAAENAUSR) USER(xxx) AUT(USE) Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ----- --------- ---------- ----------- ENAUSRPRF CMD TAASECL QATTCMD TAASECLC PGM CLP TAASECLC QATTCL The TAAENAUSR authorization list is created in QSYS to control who is authorized to the command.

ENAUSRPRF   ENABLE USER PROFILE                        TAASECL


The  Enable User  Profile  command is  intended  for trusted  personnel
that do  not have security  officer authority to change  a user profile
from  the disabled to the enabled state.   The typical command would be
entered as:

      ENAUSRPRF    USER(xxxx)

The disabled state  normally occurs when an  end user has exceeded  the
number  of  password  tries  at  a  terminal and  needs  to  retry  his
password.    The system  (based on  the  QMAXSGNACN system  value) will
prevent the user  from entering  a password  by automatically  changing
his  profile STATUS  attribute  to *DISABLED.    The CHGUSRPRF  command
must be entered to reset the user to the *ENABLED status.

Changing  a user profile normally  requires security officer authority.
The ENAUSRPRF command can be useful  in that it lets trusted  personnel
reset  the  profile.    This  is  achieved  by  adopting  the  security
officers profile.

To  use  ENAUSRPRF,  a   user  must  be  authorized  to  the  TAAENAUSR
authorization  list.  This authorization  list is automatically created
when the ENAUSRPRF  tool is created.   No user  (unless he has  *ALLOBJ
authority)  can  use  ENAUSRPRF   until  he  is  granted  authority  to
TAAENAUSR.  To grant authority, specify:

       ADDAUTLE  AUTL(TAAENAUSR) USER(xxxxxx) AUT(*USE)

If  the Security Audit  Log exists (the  journal QAUDJRN  in QSYS), the
system will  automatically log  an entry  stating that  a user  profile
was  changed when  ENAUSRPRF  is  used.   The  journal  entry does  not
specifically  state what  the change was.   To  provide a  better audit
trail, a special journal entry is  sent (if the audit log exists)  with
CODE =  U and TYPE =  EN stating that  the ENAUSRPRF command  was used.
The  text of the  entry states  what user  profile was changed  and who
the user was that made the change.

If the audit journal does not exist, a message is sent to QHST.

Note  that  there  is no  capability  to  disable a  user  profile with
ENAUSRPRF.

See also the TAA  Tool INZPWD for a  method of initializing a  password
in a similar manner.

The   WRKDSAUSR   also   requires   authorization  to   the   TAAENAUSR
authorization list.

Use with the TAADPTSEC Authorization List
-----------------------------------------

An  alternative approach  is to  allow for multiple  assistant security
officers who can each  manage a set of unique  user profiles.  This  is
called a  'Departmental Security Officer'.   See the discussion  of the
TAADPTSEC authorization list in the SECOFR2 tool documentation.

Command parameters                                    *CMD
------------------

   USRPRF        The user profile to be enabled.

Prerequisites
-------------

None.

Implementation
--------------

The  tool  is ready  to  use, but  a  user must  be  authorized  to the
TAAENAUSR authorization list.  EDTAUTL may be used or:

      ADDAUTLE    AUTL(TAAENAUSR) USER(xxx) AUT(*USE)

Objects used by the tool
------------------------

   Object        Type       Attribute      Src member     Src file
   ------        -----      ---------      ----------     -----------

   ENAUSRPRF     *CMD                      TAASECL        QATTCMD
   TAASECLC      *PGM          CLP         TAASECLC       QATTCL

The TAAENAUSR authorization list is created  in QSYS to control who  is
authorized to the command.

Added to TAA Productivity tools April 1, 1995

Home Page

Up to Top