What you should know about restoring user profiles
When you are restoring user profiles from a source system to a target system, you must make sure that the password level values (QPWDLVL) are compatible.
For example, restoring a user profile from the source system with a password value of 2 might result in a non-valid password on the target system with a password value of 0 or 1. Password level 2 allows more characters than password level 0 or 1.
Restoring all profiles: When you restore all profiles, the system does not first delete all profiles, authorization lists, and authority holders on the system. Therefore, the result is both of the following:
- All the profiles, authorization lists, and authority holders on the media.
- Any profiles, authorization lists, and authority holders on the system that were not on the save media.
Restoring all profiles is the only way to restore
authorization lists and authority holders.
If an object does not exist on the system, the link between an authorization list and the object is
restored when you restore the object. However, objects in library QSYS are restored before the user
profiles and the authorization lists. Therefore the links between authorization lists and objects in
library QSYS are not restored when the objects are restored. You can restore the links for objects
in QSYS if you saved security data from IBM® i 7.3 or
higher. To restore these links, run RSTUSRPRF USRPRF(*ALL) or RSTUSRPRF USRPRF(*NEW) and then run
RSTAUT.
Restoring *ALLOBJ special authority: *ALLOBJ special authority is removed from user profiles being restored to a system at security level 30 or higher in either of these situations:
- The profile was saved from a different system, and the person doing the restore does not have *ALLOBJ and *SECADM authority.
- The profile was saved from the same system or a different system at security level 10 or 20.
The systems keeps *ALLOBJ special authority for the following system user profiles:
- QSYS
- QSECOFR
- QLPAUTO
- QLPINSTALL
Moving users to another system: To transfer user profiles and their authorities to another system, perform these tasks:
- Save the user profiles and authorities by using the Save Security Data (SAVSECDTA) command.
- Restore the user profiles by using RSTUSRPRF USRPRF(*ALL)
ALWOBJDIF(*ALL). The following are some considerations for restoring
authority information for user profiles:
- Use the USRPRF(*NEW) parameter to restore only user profiles which do not currently exist on the target system.
- Use the OMITUSRPRF parameter to omit user profiles that you do not want to restore. To omit Digital Certificate Manager (DCM) data, specify the *DCM value on the OMITSECDTA parameter on the RSTUSRPRF command. To omit authority lists, specify the *AUTL value on the OMITSECDTA parameter. To omit function usage information, specify *FCNUSG on the OMITSECDTA parameter. These values are useful if you are merging user profiles from multiple systems onto a single system.
- Restore the needed objects by using the Restore Library (RSTLIB), Restore Object (RSTOBJ), Restore Object (RST), or Restore Document Library Object (RSTDLO) commands by specifying ALWOBJDIF(*ALL) or ALWOBJDIF(*COMPATIBLE). For the RSTLIB and RSTOBJ commands, it is preferable to specify ALWOBJDIF(*COMPATIBLE).
- Restore the private authorities of the user profiles by using the Restore Authority (RSTAUT) command.
- When a user profile is restored (all profiles or individual profile) that exists on the system, the restore operation cannot change the existing user expiration fields.
- When a user profile is restored (all profiles or individual profile)
that does not yet exist on the system, all fields in the user profile
are restored from the save media, including the user expiration interval
and user expiration date fields:
- If the profile is enabled and the user expiration date is past, the user profile is set to disabled and CPF2271 diagnostic message is sent.
- If the profile is enabled and the user expiration date has not past, the job scheduler entry is added.