The Security Officer Nbr 2 tool provides a simple menu for Assistant
Security Officers and Departmental Security Officers. To use the
options on the menu, the user must be authorized to authorization
lists (See later discussion).
The Assistant Security Officer can access all options he is
If you want a Departmental Security Officer concept, see the later
The SECOFR2 menu itself is controlled by the TAASECOFR2 authorization
list. This is shipped as *PUBLIC *EXCLUDE. An option exists when
authorizing users to the TAASECOFR2 authorization list that will
require a user to enter his password each time the menu is used. See
the later discussion of 'Checking the current user' for how to
authorize users to be able to see the menu. Each menu option is also
controlled by a unique authorization list.
The menu is accessed by:
The menu offers the following options:
1. Display user profile. The DSPUSRPRF2 TAA Tool command prompt
appears. This is a simple front end to the system DSPUSRPRF
command, but allows the user the display any profile. The
user must be authorized to the TAADSPUSR2 authorization list.
2. Initialize user profile. The INZPWD TAA Tool command prompt
appears. This allows the password to be initialized to either
the user profile name or a random value. This is intended for
users who forget their password.
If INZPWD is used, the user is forced to change his password
when he signs on. QSECOFR cannot be changed. The user must
be authorized to the TAAINZPWD authorization list. If the
user does not have *ALLOBJ authority, any profile with *ALLOBJ
or *SERVICE cannot be changed. The Security Officer can
specify other profiles that cannot be initialized by using
EDTCONARR for the data area INZPWD in TAASECURE.
This option may be removed from the menu. See the INZPWD tool
so that only INZPWD2 may be used.
3. Initialize user profile 2. The INZPWD2 TAA Tool command
prompt appears. This allows the password to be initialized to
a random value. The completion message describes the value.
This is intended for users who forget their password.
The function is similar to INZPWD, but forces the use of a
This option may be removed from the menu. See the INZPWD tool
so that only INZPWD may be used.
4. Enable user profile. The ENAUSRPRF TAA Tool command prompt
appears. This allows a disabled profile to be reset. The
user must be authorized to the TAAENAUSR authorization list.
5. Disable user profile. The DSAUSRPRF command prompt appears.
The user is allowed to disable a user profile. The user must
be authorized to the TAADSAPRF authorization list.
QSECOFR cannot be disabled. The Security Officer can specify
other profiles that cannot be disabled by using EDTCONARR for
the data area DSAUSRPRF in TAASECURE.
6. Change user profile 2. The CHGUSRPRF2 command prompt appears.
The user must be authorized to the TAACHGPRF2 authorization
list. The Security Officer controls what parameters are valid
to be changed. The other parameters can be optionally
displayed. The system has built in restrictions relative to
changes to the GRPPRF or SUPGRPPRF parameters. See the
instructions with CHGUSRPRF2.
7. Copy user profile 2. The CPYUSRPRF2 command prompt appears.
The user must be authorized to the TAACPYUSR2 authorization
list. This allows an authorized user to duplicate a user
profile without being the Security Officer. By default, a
profile containing any special authorities (such as *JOBCTL)
cannot be duplicated. See the tool documentation for how to
allow a user profile that contains special authorities to be
The presentation of the PWDEXP and CHGOWN keywords of the
CPYUSRPRF2 command can be controlled by the PMTPWDEXP and
PMTCHGOWN keys of the CPYUSRPRF2 application value found in
TAASECURE. Use EDTAPPVAL TAASECURE/CPYUSRPRF2 to modify the
settings. The default is to prompt for both of these command
8. Delete user profile 2. The DLTUSRPRF2 command prompt appears.
The user must be authorized to the TAADLTUSR2 authorization
list. This allows an authorized user to delete a user profile
without being the Security Officer. Critical profiles such as
QSECOFR or QSRV cannot be deleted.
9. Vary device on. The user must have either *JOBCTL special
authority or be authorized to the TAAVRYCFG authorization
list. If *JOBCTL exists, the VRYCFG command prompt appears.
If the user does not have *JOBCTL, but is authorized to the
TAAVRYCFG authorization list, the VRYCFG2 TAA command prompt
appears. The prompts are controlled so that the user can only
vary on a device description.
10. Vary device off. The user must have either *JOBCTL special
authority or be authorized to the TAAVRYCFGO authorization
list. The VRYCFGOFF command prompt appears. The prompt is
controlled so that the user can only vary off a device
Checking the current user
In some environments, the device to be used is in an open area and
only the normal user at the device should be authorized to certain
An option with the TAASECOFR2 authorization list exists to assist in
controlling this situation. The default for the authorization list
is the *PUBLIC user has *EXCLUDE authority. This prevents any user
from accessing the menu.
10. If the user (or *PUBLIC) has *USE authority, the user is
forced to enter his password before the menu is displayed.
The CHKPWD command is prompted for. This would be a solution
for devices that are in an open area.
10. If the user (or *PUBLIC) has *CHANGE authority to TAASECOFR2,
the menu is displayed without any password check. This would
be a solution for devices that are in a controlled area.
Departmental Security Officer Concept
The default for all of the tools on the menu is that the user must be
authorized to a TAA authorization list. The 'Vary on device' option
may also be used by a *JOBCTL special authority user.
If the user is authorized to one or more of the user profile options,
any user profile may be operated on with certain exceptions. For
example, a tool like INZPWD prevents certain profiles (such as
QSECOFR) and allows for a list of additional user profiles which
cannot be initialized.
The default is intended to allow an assistant security officer to
handle the everyday functions of a Security Officer.
You may set up an environment for a 'Departmental Security Officer'
where multiple assistant Security Officers exist where each can
manage a separate set of user profiles. A 'Departmental Security
Officer' can only manage the user profiles under his control. You
can combine the function of a 'Departmental Security Officer' as well
as having an assistant security officer who can control any user
profile (existing restrictions such as with INZPWD are still
The following rules exist:
10. If the TAADPTSEC authorization list exists, the user must be
authorized to the appropriate TAAxxx authorization list for
the desired SECOFR2 function and have one of the following:
-- Have all rights (typical of an owner) to any profile
named on the command prompt. For example, to
initialize a password, the user must have all rights to
the profile to be initialized.
-- *USE authority to the TAADPTSEC authorization list.
This concept allows an assistant security officer who
can cross departmental boundaries.
Any existing restrictions with the sub tools such as INZPWD are still
To provide for a Departmental Security Officer, do the following:
10. Use the TAA Tool command CRTDPTSEC (no parameters exist).
This will create the TAADPTSEC authorization list. You must
have *ALLOBJ special authority to use CRTDPTSEC.
10. Change the ownership of the user profiles of all profiles for
a given set of users to be owned by each Departmental Security
A typical command would be:
CHGOBJOWN OBJ(USER1) OBJTYPE(*USRPRF)
To provide for an Assistant Security Officer who can manage any
profile regardless of ownership, authorize the Assistant Security
Officer to the TAADPTSEC authorization list such as:
When the display appears, enter the Assistant Security Officer name
and specify *USE authority. Existing restrictions such as with the
INZPWD tool will still exist.
Note that any user with *ALLOBJ authority is implicitly authorized to
If you have set up for Departmental Security and want to return to
normal SECOFR2 security, just delete the TAADPTSEC authorization
Note that this will cause any existing Departmental Security Officers
to become Assistant Security Officers.
CRTDPTSEC Command *CMD
The command has no parameters. It is used to create the TAADPTSEC
authorization list to allow for Departmental Security. The user of
the command must have *ALLOBJ special authority.
See the discussion of the TAADPTSEC authorization list for
The following TAA Tools must be on your system:
CHGUSRPRF2 Change user profile nbr 2
CHKALLOBJ Check *ALLOBJ special authority
CPYUSRPRF2 Copy user profile nbr 2
DLTUSRPRF2 Delete user profile nbr 2
DSAUSRPRF Disable user profile
DSPERRMSG Display error message
DSPUSRPRF2 Display user profile nbr 2
ENAUSRPRF Enable user profile
FMTLIN Format line
INZPWD Initialize password
VRYCFGOFF Vary configuration off
VRYCFG2 Vary configuration 2
The tool is ready to use, but the user must be authorized to the
commands which are performed by the options.
** DSAUSRPRF. The TAA Tool command is controlled by the
TAADSAPRF authorization list.
** DSPUSRPRF2. The TAA Tool command is controlled by the
TAADSPUSR2 authorization list.
** INZPWD. The TAA Tool commands are controlled by the TAAINZPWD
** ENAUSRPRF. The TAA Tool command is controlled by the
TAAENAUSR authorization list.
** CHGUSRPRF2. The TAA Tool command is controlled by the
TAACHGPRF2 authorization list.
** CPYUSRPRF2. The TAA Tool command is controlled by the
TAACPYUSR2 authorization list.
** DLTUSRPRF2. The TAA Tool command is controlled by the
TAADLTUSR2 authorization list.
** VRYCFG. The system command is shipped with *PUBLIC authority.
However, the user must have the special authority *JOBCTL or
be authorized to the TAAVRYCFG authorization list. Selective
prompting is used to control what parameters are valid to be
entered from the menu option. The user is only allowed to
'vary on' a device.
** VRYCFGOFF. The TAA command is controlled by the TAAVRYCFGO
To set up Departmental Security, see the previous discussion.
Objects used by the tool
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
CRTDPTSEC *CMD CLP TAASEDB2 QATTCMD
TAASEDBC *PGM CLP TAASEDBC QATTCL
TAASEDBC2 *PGM CLP TAASEDBC2 QATTCL
TAASEDBC3 *PGM CLP TAASEDBC3 QATTCL
TAASEDBD *FILE DSPF TAASEDBD QATTDDS
* TAADPTSEC *AUTL
The TAADPTSEC authorization list is not shipped. Create it with the
CRTDPTSEC command if required.
The TAASEDBC3 program adopts to access the INZPWD values from