TAA Tools

The Display  Profile Authorizations command  displays one,  generic, or
all profiles  and flags those  where the *PUBLIC or  an authorized user
has  at least  *USE rights  to the  user profile.   The  owner, *ALLOBJ
users, and  certain system profiles  are bypassed.   The user  profiles
that are  flagged represent  a security exposure  as the *PUBLIC  or an
authorized  user can submit  a job as  the user profile or  swap to the
user profile.

You must have *ALLOBJ authority to use DSPPRFAUT.

A typical command would be:

             DSPPRFAUT  USRPRF(*ALL)

All user  profiles would  be  listed along  with the  authorized  users
(the  owning  user  profile  would  be bypassed).    If  a  *PUBLIC  or
authorized  user has at least  *USE authority to the  user profile, the
user would be flagged.  *ALLOBJ  users and certain system profiles  are
bypassed to avoid clutter.

Allowing the *PUBLIC  or a specified user  to have *USE authority  to a
user profile, allows the *PUBLIC or authorized user to:

  **   Submit a job naming the user profile.

  **   Swap to the user profile during the running of a job.

Both  of these  possibilities  represent  a security  exposure  in most

In  addition, a user can  use WRKUSRPRF or DSPOBJD to  see the names of
the user profiles on the system.

Flagging user profile owners

An option  exists on  the DSPPRFAUT to  flag those  user profiles  that
are not  owned by  a list of  users.  The  default is *DFT  which means
QSECOFR and QSYS.  You may name up to 300 users.

Some  systems have  a requirement  that all user  profiles be  owned by
designated profiles.   It  is not  necessarily a  security exposure  to
have a user profile  owned by other that QSECOFR  or QSYS, but allowing
the flag to occur can simplify checking for exception situations.

Running under a profile that adopts *ALLOBJ

If DSPPRFAUT  is run under a  profile that adopts an  *ALLOBJ user, the
user profile *GROUP will be shown for  the user when a command such  as
DSPOBJAUT is  used for the  profile.  The  *GROUP name also  appears in
the  internal file  processed by  DSPPRFAUT.   Rather than  clutter the
listing with this information, the *GROUP user profile is bypassed.

DSPPRFAUT escape messages you can monitor for

None.  Escape messages from based on functions will be re-sent.

DSPPRFAUT Command parameters                          *CMD

   USRPRF        The  name or  generic name of  the user  profile to be
                 checked.  *ALL is  the default for all user  profiles.

   BYPOWN        A  *YES/*NO option  for  whether to  bypass the  owner
                 which   typically  has  all   authority  to  the  user
                 profile.  *YES is the default.

                 *NO  may   be   specified   to   include   the   owner

   AUTOWNERS     A  list  of up  to  300  owners  may be  specified  to
                 prevent  flagging.   The default  is *DFT  which means
                 QSECOFR and QSYS.

                 If a  user profile  is  not owned  by  a user  in  the
                 list, the user profile is flagged.

                 You  may want  to  add your  own  list of  valid  user
                 profiles that are allowed to own other profiles.

   REFRESH       An  option  to  determine  if  the  DSPUSRPRF  OUTFILE
                 function  is used to refresh  the TAASECKP file in the
                 TAASECURE library.   The default  is *YES meaning  the
                 file will be refreshed.

                 *DAYCHG  may be  specified which  means the  file will
                 be  refreshed if  the  last time  the file  was output
                 was on  a different  day.   *DAYCHG  assumes that  you
                 are using the  command repeatedly on the  same day and
                 do not want to keep refreshing the information.

                 *NO  may be specified  to use  the existing data.   If
                 no data exists, the file is output.

   OUTPUT        How to  output  the results.    * is  the  default  to
                 display the  spooled file  if the  command is  entered
                 interactively.   The spooled file is  deleted after it
                 is displayed.

                 If  the  command  is  entered in  batch  or  *PRINT is
                 specified, the  spooled file is  output and  retained.


You must have *ALLOBJ authority to use DSPPRFAUT.


The following TAA Tools must be on your system:

     CHKALLOBJ       Check *ALLOBJ special authority
     CHKGENERC       Check generic name
     CRTLFSRC        Create logical file source
     CVTDAT          Convert date
     CVTLIBAUT       Convert library authorizations
     EXTLST2         Extract list 2
     RMVMSGKEY       Remove message key
     RTVSYSVAL3      Retrieve system value 3
     SCNVAR          Scan variable
     SNDCOMPMSG      Send completion message
     SNDESCINF       Send escape information
     SNDESCMSG       Send escape message


None, the tool is ready to use.

Objects used by the tool

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   DSPPRFAUT     *CMD                   TAASEIW       QATTCMD
   TAASEIWC      *PGM       CLP         TAASEIWC      QATTCL
   TAASEIWC2     *PGM       CLP         TAASEIWC2     QATTCL
   TAASEIWR      *PGM       RPG         TAASEIWR      QATTRPG

Added to TAA Productivity tools July 15, 2011

Home Page Up to Top