IBM Support

Find User Profiles that are Publicly Accessible.

How To


Summary

Create a list of user profile objects whose authority for *PUBLIC is not *EXCLUDE, then use the results to create a report of the user profiles and their Special Authorities.

Objective

Find user profiles on the System that create a Security Exposure. 

Steps

By combining OBJECT_PRIVILEGES and USER_INFO views create a report that list all user profile Objects in QSYS that have *PUBLIC Authority Set to any value other than *EXCLUDE.
Authorization: The caller must have *OBJOPR and *READ authorities to the *USRPRF. To see a non-null value for the USER_DEFAULT_PASSWORD column, the caller must have *ALLOBJ and *SECADM authorities.

Steps:

1) Open the ACS Run SQL Scripts tool 
2) Run the following SQL:
-- Step 1: Find objects with PUBLIC authority other than *EXCLUDE
WITH UserProfiles AS (
        SELECT OBJECT_NAME
            FROM QSYS2.OBJECT_PRIVILEGES
            WHERE SYSTEM_OBJECT_SCHEMA = 'QSYS'
                  AND OBJECT_TYPE = '*USRPRF'
                  AND AUTHORIZATION_NAME = '*PUBLIC'
                  AND OBJECT_AUTHORITY <> '*EXCLUDE'
    )
-- Step 2: Generate report of user special authorities
    SELECT u.USER_NAME,
           u.SPECIAL_AUTHORITIES
        FROM QSYS2.USER_INFO u
             JOIN UserProfiles p
                 ON u.USER_NAME = p.OBJECT_NAME;
image-20250416080335-1
NOTE: Any of the profiles listed on the report could be used by other users to gain access to objects on the System and elevate their special authorities.
NOTE 2: If no users are listed on the report it indicates that there is no users on the system that have  Publicly Accessible profiles.
NOTE 3: You should take action and change the *PUBLIC authority of the user profile object to *EXCLUDE to increase the Security of the System.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"TS019023627","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;7.5.0;7.6.0"}]

Document Information

Modified date:
24 April 2025

UID

ibm17231048

Page Feedback