IBM Support

Adding authority to user profile for SECADM without *ALLOBJ

How To


Summary

Creating a user profile that has *SECADM user special authority but without *ALLOBJ that will work to manage the user profiles in the system.

Objective

This document will show how to grant a Security Administrator profile without giving an *ALLOBJ user special authority but still can work with all user profile in the system.

Steps

Step 1:  Using IBM i ACS Run SQL Script (RSS) run below query to create a CL to GRTOBJAUT *USE to all user profile to the security administrator profile. 

cl: DSPOBJD OBJ(QSYS/*ALL) OBJTYPE(*USRPRF) OUTPUT(*OUTFILE) OUTFILE(QTEMP/USRP);
SELECT 'cl: GRTOBJAUT OBJ(' || TRIM(ODLBNM) || '/' || TRIM(ODOBNM) || ')' ||
        ' OBJTYPE(*USRPRF) USER(SECADMPRF) AUT(*USE) REPLACE( *NO);'
    FROM qtemp/usrp
    where ODOBNM not like 'Q%'
NOTE:  Replace SECADMPRF with the user profile you created to do the security administration.
NOTE 2: The command excludes all IBM Supplied Qxxxxx profiles. 

Adding *USE to security admin profile allows it to see all user profile with WRKUSRPRF *ALL command.

 This will give you an output like

image-20240226094145-1


Step 2:  From the result panel, do a right-click and click "save results"

image-20240226094216-2

Save it as text file and make sure the "include column headings" is not check.


image-20240226094242-3

Step 3:   Then in ACS Run SQL Script open this file as PC file selecting the files of type to all files and select the one you saved.

Review the profiles that will add the user authority to and once confirm run the query.

image-20240226094357-4

Step 4:  Using IBM i ACS Run SQL Script (RSS) again to create a CL to GRTOBJAUT *OBJEXIST and *OBJMGT to all user profile to the security administrator profile. 

With *OBJEXIST and *OBJMGT will allow security administrator to perform CHGUSRPRF and DLTUSRPRF.

cl: DSPOBJD OBJ(QSYS/*ALL) OBJTYPE(*USRPRF) OUTPUT(*OUTFILE) OUTFILE(QTEMP/USRP);
SELECT 'cl: GRTOBJAUT OBJ(' || TRIM(ODLBNM) || '/' || TRIM(ODOBNM) || ')' ||
        ' OBJTYPE(*USRPRF) USER(SECADMPRF) AUT(*OBJEXIST *OBJMGT) REPLACE( *NO);'
    FROM qtemp/usrp

Step 5:   From the result panel, do a right-click and click "save results"  (same as step 2)

Step 6:  In ACS Run SQL Script open this file as PC file selecting the files of type to all files and select the one you saved.

Review the profiles that will add the user authority to and once confirm run the query.








Document Location

Worldwide


[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m3p000000GnzFAAS","label":"Job and Work Management-\u003EAuthority"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Document Information

More support for:
IBM i

Component:
Job and Work Management->Authority

Software version:
All Versions

Operating system(s):
IBM i

Document number:
7123775

Modified date:
27 February 2024

UID

ibm17123775

Manage My Notification Subscriptions

Page Feedback