DLTUSRPRF2 -- Delete User Profile 2 - For Asst Sec Officers

DLTUSRPRF2 DELETE USER PROFILE 2 TAASEDT
The Delete User Profile tool is designed for Assistant Security Officers to be able to delete a user profile. QSECOFR cannot be deleted nor can any user profile in a Security Officer controlled list. The user of the command must be authorized to the TAADLTUSR2 authorization list. DLTUSRPRF2 is an option on the SECOFR2 menu. A typical command would be: DLTUSRPRF2 USRPRF(JONES) This would delete the users profile. The same parameters that exist on the system DLTUSRPRF command are supported on DLTUSRPRF2 to allow such functions as transferring any owned objects to another user profile. The user of the command must be authorized to the TAADLTUSR2 authorization list. The DLTUSRPRF2 data area in TAASECURE can be used to specify a list of additional profiles that cannot be deleted using the command. The Security Officer can use the following command to specify additional user profiles: EDTCONARR DTAARA(TAASECURE/DLTUSRPRF2) If the user entering DLTUSRPRF2 has ALLOBJ special authority, the user can delete any user profile except QSECOFR, QSRV, QSRVBAS, and TAAJOBCTL. In addition, those user profiles specified in the DLTUSRPRF2 data area in TAASECURE cannot be deleted. If the user does not have ALLOBJ authority, the following cannot be deleted: QSECOFR or any user in the list described by the DLTUSRPRF2 data area in TAASECURE. Any user profile that has a special authority of ALLOBJ, SECADM, or SERVICE. These profiles have significant security aspects to them and should only be deleted by the Security Officer. To provide for an audit trail of the use of the command, the following occurs: * If the QAUDJRN journal exists, an entry is sent to the journal describing the use of DLTUSRPRF2, the profile that was deleted, and the user that did the delete. The entry type is DP. ** If the QAUDJRN journal does not exist, the same information as described for the journal entry is sent as a message to QHST. Use with the TAADPTSEC Authorization List ----------------------------------------- An alternative approach is to allow for multiple assistant security officers who can each manage a set of unique user profiles. This is called a 'Departmental Security Officer'. See the discussion of the TAADPTSEC authorization list in the SECOFR2 tool documentation. Command parameters CMD ------------------ USRPRF The user profile to be deleted. QSECOFR cannot be deleted nor any user profile found in the DLTUSRPRF2 data area in TAASECURE. If the user does not have ALLOBJ special authority, any user profile with ALLOBJ, SECADM, or SERVICE cannot be deleted. OWNOBJOPT Specifies the type of operations to be performed on the owned objects of the user profile being deleted. This is the same function as on the system DLTUSRPRF command. NODLT is the default and prevents the user profile from being deleted if any objects are owned. DLT may be specified to delete any objects owned by the user profile. CHGOWN may be specified to change the ownership of any owned objects to a named user profile. A user profile name must be specified as the new owner. PGPOPT Specifies the type of operations to be performed on the objects the user profile being deleted is the primary group for. This is the same function as on the system DLTUSRPRF command. NOCHG is the default and prevents the user profile from being deleted if the user is the primary group for some objects. CHGPGP may be specified to transfer the objects the user profile is the primary group for to another user profile. If CHGPGP is specified, a user name must be specified or the value NONE. If NONE is specified, the objects will no longer be in the primary group. The possible user profile values for the New Primary Group are: User profile name. The user profile must have a group ID (gid). NONE. The objects do not have a primary group. OLDPGP. The new primary group has the same authority as the old primary group. PRIVATE. See the discussion for the system DLTUSRPRF command. ALL. The new primary group has all authority to the object. CHANGE. The new primary group has change authority to the object. USE. The new primary group has use authority to the object. EXCLUDE. The new primary group has exclude authority to the object. DLTUSRSPLF A YES/NO parameter for whether spooled files owned by the user should be deleted. The system does not delete spooled files owned by the user if the user profile is deleted. YES is the default to delete any owned spooled files. The TAA tool DLTUSRSPLF is used. A listing will be output if any are deleted. NO may be specified to retain any spooled files owned by the user. Restrictions ------------ See previous comments. The major restrictions are: The user must be authorized to the TAADLTUSR2 authorization list. If the user does not have ALLOBJ special authority, any user profile with ALLOBJ, SECADM, or SERVICE cannot be deleted. ** Additional restrictions exist if the TAADPTSEC authorization list exists. See the discussion in the SECOFR2 tool documentation. Prerequisites ------------- The following TAA Tools must be on your system: UNADOPT Unadopt security Implementation -------------- The tool is ready to use, but a user must be be authorized to the TAADLTUSR2 authorization list. For example, ADDAUTLE AUTL(TAADLTUSR2) USER(xxx) AUT(USE) The Security Officer may also specify certain user profiles that cannot be changed by entering them into the DLTUSRPRF2 data area in TAASECURE. To edit the list of invalid profiles, use the command: EDTCONARR DTAARA(TAASECURE/DLTUSRPRF2) You do not need to enter QSECOFR as it is always prevented. You do not need to add a user profile that has a special authority of ALLOBJ, SECADM, or SERVICE unless you do not want a user with ALLOBJ authority to be able to delete these profiles. Any profile with one or more of these special authorities will be prevented from being deleted by other code in the program. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- DLTUSRPRF2 CMD TAASEDT QATTCMD TAASEDTC PGM CLP TAASEDTC QATTCL DLTUSRPRF2 DTAARA The DLTUSRPRF2 data area is in the TAASECURE library. The TAASEDTC program is created with USRPRF(*OWNER).

DLTUSRPRF2      DELETE USER PROFILE 2                  TAASEDT


The  Delete  User  Profile tool  is  designed  for  Assistant  Security
Officers  to be  able to  delete  a user  profile.   QSECOFR  cannot be
deleted  nor  can any  user profile  in  a Security  Officer controlled
list.  The  user of the  command must be  authorized to the  TAADLTUSR2
authorization list.  DLTUSRPRF2 is an option on the SECOFR2 menu.

A typical command would be:

           DLTUSRPRF2 USRPRF(JONES)

This would delete the users profile.

The  same parameters  that exist  on the  system DLTUSRPRF  command are
supported  on DLTUSRPRF2  to allow  such functions as  transferring any
owned objects to another user profile.

The  user  of  the  command  must  be  authorized  to   the  TAADLTUSR2
authorization list.

The DLTUSRPRF2  data area in  TAASECURE can be  used to specify  a list
of additional  profiles that cannot be deleted  using the command.  The
Security Officer can  use the following  command to specify  additional
user profiles:

        EDTCONARR     DTAARA(TAASECURE/DLTUSRPRF2)

If the  user  entering DLTUSRPRF2  has *ALLOBJ  special authority,  the
user  can delete any  user profile  except QSECOFR, QSRV,  QSRVBAS, and
TAAJOBCTL.     In  addition,  those  user  profiles  specified  in  the
DLTUSRPRF2 data area in TAASECURE cannot be deleted.

If the user  does not have *ALLOBJ  authority, the following cannot  be
deleted:

  **   QSECOFR  or any  user in  the list  described by  the DLTUSRPRF2
       data area in TAASECURE.

  **   Any  user  profile  that has  a  special  authority  of *ALLOBJ,
       *SECADM,  or  *SERVICE.     These   profiles  have   significant
       security  aspects to  them and  should  only be  deleted by  the
       Security Officer.

To  provide  for  an  audit  trail  of  the  use  of the  command,  the
following occurs:

  **   If the QAUDJRN journal exists, an  entry is sent to the  journal
       describing  the  use   of  DLTUSRPRF2,  the  profile   that  was
       deleted, and  the user that did  the delete.  The  entry type is
       DP.

  **   If  the QAUDJRN journal does not  exist, the same information as
       described for the  journal entry is sent  as a message to  QHST.

Use with the TAADPTSEC Authorization List
-----------------------------------------

An  alternative approach is  to allow  for multiple  assistant security
officers  who can each manage a  set of unique user  profiles.  This is
called a 'Departmental  Security Officer'.  See  the discussion of  the
TAADPTSEC authorization list in the SECOFR2 tool documentation.

Command parameters                                    *CMD
------------------

   USRPRF        The user  profile to  be deleted.   QSECOFR  cannot be
                 deleted  nor any user profile  found in the DLTUSRPRF2
                 data area in  TAASECURE.   If the user  does not  have
                 *ALLOBJ  special  authority,  any  user  profile  with
                 *ALLOBJ, *SECADM, or *SERVICE cannot be deleted.

   OWNOBJOPT     Specifies  the type of  operations to be  performed on
                 the  owned objects of the  user profile being deleted.
                 This is the same  function as on the  system DLTUSRPRF
                 command.

                 *NODLT is  the default  and prevents the  user profile
                 from being deleted if any objects are owned.

                 *DLT  may be specified to delete  any objects owned by
                 the user profile.

                 *CHGOWN may be  specified to  change the ownership  of
                 any owned  objects to  a named user  profile.   A user
                 profile name must be specified as the new owner.

   PGPOPT        Specifies  the type of  operations to  be performed on
                 the objects  the user  profile  being deleted  is  the
                 primary group for.   This is  the same function  as on
                 the system DLTUSRPRF command.

                 *NOCHG  is the default  and prevents the  user profile
                 from  being deleted if  the user is  the primary group
                 for some objects.

                 *CHGPGP may be specified  to transfer the objects  the
                 user  profile  is the  primary  group  for to  another
                 user  profile.  If  *CHGPGP is specified,  a user name
                 must be specified  or the  value *NONE.   If *NONE  is
                 specified,  the  objects  will  no longer  be  in  the
                 primary group.

                 The  possible user profile values  for the New Primary
                 Group are:

                 User profile  name.   The  user  profile must  have  a
                 group ID (gid).

                 *NONE.  The objects do not have a primary group.

                 *OLDPGP.    The   new  primary  group  has   the  same
                 authority as the old primary group.

                 *PRIVATE.     See  the   discussion  for   the  system
                 DLTUSRPRF command.

                 *ALL.    The new  primary group  has all  authority to
                 the object.

                 *CHANGE.  The  new primary group has  change authority
                 to the object.

                 *USE.   The  new primary  group has  use  authority to
                 the object.

                 *EXCLUDE.     The   new  primary  group   has  exclude
                 authority to the object.

   DLTUSRSPLF    A *YES/*NO parameter for  whether spooled files  owned
                 by the  user should be deleted.   The system  does not
                 delete  spooled files  owned by the  user if  the user
                 profile is deleted.

                 *YES is  the  default  to  delete  any  owned  spooled
                 files.  The  TAA tool DLTUSRSPLF  is used.   A listing
                 will be output if any are deleted.

                 *NO  may  be specified  to  retain  any spooled  files
                 owned by the user.

Restrictions
------------

See previous comments.

The major restrictions are:

  **   The  user  must be  authorized  to the  TAADLTUSR2 authorization
       list.

  **   If the user  does not have  *ALLOBJ special authority, any  user
       profile with  *ALLOBJ, *SECADM,  or *SERVICE cannot  be deleted.

  **   Additional  restrictions  exist if  the  TAADPTSEC authorization
       list  exists.     See  the  discussion   in  the  SECOFR2   tool
       documentation.

Prerequisites
-------------

The following TAA Tools must be on your system:

     UNADOPT      Unadopt security

Implementation
--------------

The tool  is ready  to use,  but a user  must be  be authorized  to the
TAADLTUSR2 authorization list.  For example,

      ADDAUTLE   AUTL(TAADLTUSR2) USER(xxx) AUT(*USE)

The  Security  Officer  may also  specify  certain  user profiles  that
cannot be changed  by entering them  into the DLTUSRPRF2  data area  in
TAASECURE.  To edit the list of invalid profiles, use the command:

        EDTCONARR    DTAARA(TAASECURE/DLTUSRPRF2)

You do not  need to enter  QSECOFR as it is  always prevented.   You do
not  need  to add  a  user  profile that  has  a  special authority  of
*ALLOBJ,  *SECADM,  or *SERVICE  unless  you do  not  want a  user with
*ALLOBJ authority  to be able  to delete these  profiles.  Any  profile
with one  or more of these  special authorities will be  prevented from
being deleted by other code in the program.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   DLTUSRPRF2    *CMD                   TAASEDT       QATTCMD
   TAASEDTC      *PGM       CLP         TAASEDTC      QATTCL
   DLTUSRPRF2    *DTAARA

The DLTUSRPRF2 data area is in the TAASECURE library.

The TAASEDTC program is created with USRPRF(*OWNER).

Added to TAA Productivity tools June 1, 1997

Home Page

Up to Top