ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

Owner of user profiles

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Owner of user profiles

    I have two questions I would like to hear your answers for.

    1. Who owns user profiles in your shop?

    2. Who should own user profiles?

  • #2
    Belongs to users ...
    ?
    Forgive my impertinence, but I don't quite understand your question, I am new to this forum and would appreciate clarification. Since I am a very responsive person, I try to get into other people's questions.Again, I apologize and thank you for your understanding.

    Comment


    • #3
      No problem, Robert. Every object has an owner. User profiles are objects, so they have owners.

      Comment


      • #4
        I don't understand why you ask this question.
        The natural thing is that QSECOFR owns it.

        Comment


        • #5
          The default for the CRTUSRPRF command is OWNER(*USRPRF), meaning the user profile that is doing the command. So by default, QSECOFR would only own the profiles if they were created by QSECOFR.

          Interesting ... the CRTUSRPRF command only allows *USRPRF or *GRPPRF for the OWNER parameter. You can't put say OWNER(QSECOFR). I guess you'd have to do CHGOBJOWN after the CRTUSRPRF command.

          (I don't have any insight into the actual question of who should own the profiles.)

          Comment


          • #6
            The Group of the "ID Administrator" or "Security Administrator" should be the owner of User Profiles. Don't use QSECOFR, in order to distinguish between system and non-system-created objects. The "ID Administrator" need not be granted *ALLOBJ if it has access to the User Profile object. This is the reason.

            Comment


            • #7
              Thanks for the replies, everybody.

              I'm dealing with a small shop where programmers have created user profiles. Therefore, each programmer owns some profiles. It's causing some authority problems in their programming, but even if that were not the case, the programmers really shouldn't own user profiles, in my opinion.

              QSECOFR does seem like the logical choice for the owner, but I was thinking of having them create a special security officer or security administrator user profile to own the users' user profiles. I've never done it that way and wondered if it was a good idea or not.

              Please keep the thoughts and recommendations coming. This is not an urgent task, but it does need to be addressed soon.

              Ted

              Comment


              • #8
                Originally posted by Dennis See View Post
                The Group of the "ID Administrator" or "Security Administrator" should be the owner of User Profiles. Don't use QSECOFR, in order to distinguish between system and non-system-created objects. The "ID Administrator" need not be granted *ALLOBJ if it has access to the User Profile object. This is the reason.
                On my 7.3 box, the owner of IBM profiles is QSYS not QSECOFR, so I don't see the concern using QSECOFR to create profiles.

                Comment


                • #9
                  In a small shop, there's nothing wrong with QSECOFR owning the user profiles IMO. In a larger shop where a particular person has security administrator authority, then a user profile dedicated to owning all other non IBM user profiles and other security related objects could be used. In either case, I can't see a reason why they shouldn't be owned by the same user profile, and definitely not by programmers.

                  Comment


                  • #10
                    I'm not sure why the owner of the user profile would be causing authority issues? Offhand, the only way I can think that this would be an issue would be with adopted authority and their profile not having authority to something another profile created. IF that is the case, the issue you are experiencing would be more around a common object owner which should be addressed.
                    I did however shudder when I read programmers were creating profiles...

                    Comment


                    • #11
                      Thanks for your comments, John.

                      The problem these folks are having is in trying to retrieve the description of a user profile from an RPG program, which can be done thru the RTVUSRPRF command or thru an API. A user may not be able to retrieve the description of a certain user profile. It depends on who created the profile. Some of the user profiles were created, and are still owned, by people who no longer work there.

                      I'm glad you think user profiles should have a common object owner. Thanks for your support!

                      In a small shop, who else is there to create user profiles? I have always worked in small shops, and my coworkers and I always had to wear a lot of hats.

                      Thanks again for your comments.

                      Comment

                      Working...
                      X