User profile commands

This table lists the specific authorities required for the user profile commands.

Commands identified by (Q) are shipped with public authority *EXCLUDE. Commands shipped with public authority *EXCLUDE shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.

Command	Referenced object	Authority needed
Command	Referenced object	For object	For library
ANZDFTPWD ^{3, 14, 15}(Q)
ANZPRFACT ^{3, 14, 15}(Q)
CHGACTPRFL ¹⁴(Q)
CHGACTSCDE ^{3, 14, 15}(Q)
CHGDSTPWD ¹
CHGEXPSCDE ^{3, 14, 15}(Q)
CHGPRF	User profile	OBJMGT, USE
	Initial program ²	*USE	*EXECUTE
	Initial menu ²	*USE	*EXECUTE
	Job description ²	*USE	*EXECUTE
	Message queue ²	*USE	*EXECUTE
	Output queue ²	*USE	*EXECUTE
	Attention-key- handling program ²	*USE	*EXECUTE
	Current library ²	*USE	*EXECUTE
CHGPWD
CHGUSRAUD ¹¹(Q)
CHGUSRPRF ³	User profile	OBJMGT, USE	*EXECUTE
	Initial program ²	*USE	*EXECUTE
	Initial menu ²	*USE	*EXECUTE
	Job description ²	*USE	*EXECUTE
	Message queue ²	*USE	*EXECUTE
	Output queue ²	*USE	*EXECUTE
	Attention-key-handling program ²	*USE	*EXECUTE
	Current library ²	*USE	*EXECUTE
	Group profile (GRPPRF or SUPGRPPRF)^2,4	OBJMGT, OBJOPR, READ, ADD, UPD, DLT	*EXECUTE
CHGUSRPRTI	User profile	*CHANGE
CHKPWD
CRTUSRPRF ^{3, 12, 17}	Initial program	*USE	*EXECUTE
	Initial menu	*USE	*EXECUTE
	Job description	*USE	*EXECUTE
	Message queue	*USE	*EXECUTE
	Output queue	*USE	*EXECUTE
	Attention-key- handling program	*USE	*EXECUTE
	Current library	*USE	*EXECUTE
	Group profile (GRPPRF or SUPGRPPRF)⁴	OBJMGT, OBJOPR, READ, ADD, UPD, DLT	*EXECUTE
CVTUSRCERT^{3, 14}
DLTUSRPRF ^3,9	User profile	OBJEXIST, USE	*EXECUTE
DLTUSRPRF ^3,9	Message queue ⁵	OBJEXIST, USE, *DLT	*EXECUTE
DMPUSRPRF ²²(Q)	User profile
DSPACTPRFL ¹⁴(Q)
DSPACTSCD ¹⁴(Q)
DSPAUTUSR ⁶	User profile	*READ
DSPEXPSCD ¹⁴(Q)
DSPPGMADP	User profile	*OBJMGT
DSPPGMADP	Output file	Refer to the general rules.	Refer to the general rules.
DSPSSTUSR ²³
DSPUSRPRF¹⁹	User profile	*READ	*EXECUTE
DSPUSRPRF¹⁹	Output file	Refer to the general rules.	Refer to the general rules.
DSPUSRPRTI	User profile	*USE
GRTUSRAUT ⁷	Referenced user profile	*READ
GRTUSRAUT ⁷	Objects you are granting authority to	*OBJMGT	*EXECUTE
PRTPRFINT ¹⁴(Q)
PRTUSRPRF ¹⁸
RSTAUT (Q) ⁸
RSTUSRPRF (Q) ^{8,10, 16}
RTVUSRPRF²⁰	User profile	*READ
RTVUSRPRTI	User profile	*USE
SAVSECDTA ⁸	Save file, if empty	USE, ADD	*EXECUTE
SAVSECDTA ⁸	Save file, if records exist	OBJMGT, USE, *ADD	*EXECUTE
WRKUSRPRF ¹³	User profile	Any authority
¹ This command can be run only if you are signed on as QSECOFR. ² You need authority only to the objects for fields you are changing in the user profile. ³ SECADM special authority is required. ⁴ OBJMGT authority to the group profile cannot come from adopted authority. ⁵ The message queue associated with the user profile is deleted if it is owned by that user profile. To delete the message queue, the user running the DLTUSRPRF command must have the authorities specified.
⁶ The display includes only user profiles to which the user running the command has the specified authority. ⁷ See the authorities required for the GRTOBJAUT command. ⁸ SAVSYS special authority is required. ⁹ If you select the option to delete objects owned by the user profile, you must have the necessary authority for the delete operations. If you select the option to transfer ownership to another user profile, you must have the necessary authority to the objects and to the target user profile. See information for the CHGOBJOWN command. ¹⁰ You must have ALLOBJ special authority to specify a value other than *NONE for the Allow object differences (ALWOBJDIF) parameter.
¹¹ You must have AUDIT special authority. ¹² The user whose profile is created is given these authorities to it: OBJMGT, OBJOPR, READ, ADD, DLT, UPD, EXECUTE. ¹³ To use an individual operation, you must have the authority required by the operation. ¹⁴ You must have ALLOBJ special authority to use this command. ¹⁵ You must have JOBCTL special authority to use this command.
¹⁶ You must have ALLOBJ and SECADM special authorities to specify SECDTA(PWDGRP), USRPRF(ALL) or OMITUSRPRF. ¹⁷ When you perform a CRTUSRPRF, you cannot create a user profile (USRPRF) into an independent disk pool. However, when a user is privately authorized to an object in the independent disk pool, is the owner of an object on an independent disk pool, or is the primary group of an object on an independent disk pool, the name of the profile is stored on the independent disk pool. If the independent disk pool is moved to another system, the private authority, object ownership, and primary group entries will be attached to the profile with the same name on the target system. If a profile does not exist on the target system, a profile will be created. The user will not have any special authorities and the password will be set to NONE. ¹⁸ You must have ALLOBJ or AUDIT special authority to use this command. ¹⁹ You must have either ALLOBJ or AUDIT special authority to display the current object auditing value and action auditing value displayed. Otherwise, the value NOTAVL is displayed to indicate that the values are unavailable for display. ²⁰ You must have either ALLOBJ or AUDIT special authority to retrieve the current OBJAUD and AUDLVL values. Otherwise, the value NOTAVL is returned to indicate that the values are unavailable for retrieval.
²¹ To use this command, you must have service (SERVICE) special authority, or be authorized to the Service Dump function of IBM i through the support of the IBM Navigator for i Application Administration. The Change Function Usage (CHGFCNUSG) command with a function ID of QIBM_SERVICE_DUMP can also be used to change the list of users that are allowed to perform dump operations. ²² To use this command, you must have SERVICE special authority or have the authorization to the QIBM_SERVICE_DUMP function usage list. ²³ You must have either security administrator (SECADM) or audit (AUDIT) special authority to use this command.