The Copy User Profile 2 command is an option on the SECOFR2 menu to
allow a user (such as an Assistant Security Officer) to create a new
profile by copying an existing profile. The user must be authorized
to the TAACPYUSR2 authorization list.
A typical command would be:
CPYUSRPRF2 FROMUSRPRF(aaa) TOUSRPRF(bbb) +
TEXT('...')
Most attributes of the 'from user profile' are copied. Auditing
values are copied using the CHGUSRAUD command.
The PASSWORD prompt defaults to allow either *NONE, *USRPRF, or
*RANDOM (a random value). The PWDEXP parameter is automatically
specified as *YES if the password is set to *USRPRF. This forces the
user to change the password on the first signon. If the password is
set to *RANDOM, then password is expired as specified on the PWDEXP
keyword.
The random password function uses the TAA INZPWD command internally.
The completion message describes the random password. This allows a
further option to disable the user profile if the user does not
signon during the same day. See the INZPWD tool for further
discussion.
The PASSWORD parameter may be fixed to *NONE, *USRPRF, or *RANDOM
which prevents a change by the user. See the discussion of 'Changing
the PASSWORD default'.
The Security Officer determines if a user of CPYUSRPRF2 will be
allowed to copy a user profile that has special authorities such as
*JOBCTL or *ALLOBJ. By default, a user profile which contains any
special authorities cannot be used to copy from. For example, it
would generally not be desirable to let an Assistant Security Officer
make a copy of the QSECOFR profile.
The Security Officer can use the EDTCONARR command to change the
CPYUSRPRF2 data area in TAASECURE to specify which special
authorities may exist to allow a copy to be made. See the later
discussion.
CPYUSRPRF2 is an option on the SECOFR2 menu. CPYUSRPRF2 is intended
as a convenient method of cloning an existing user profile. The
CHGUSRPRF2 tool could then be used to tailor the user profile.
After creating the user profile, CHGOBJOWN is used to change the
owner to QSECOFR. The CPYUSRPRF user retains all rights to the user
profile. Changing to QSECOFR as the owner is done to prevent the
problem in a disaster recovery situation where the name of the owner
of the profile comes later in the alphabet than the user profile that
was created. System profiles are restored first followed by the user
created profiles in alphabetical order. If user BBB creates profile
AAA, the AAA user profile is restored without BBB being on the system
and the owner would become QDFTOWN.
Changing the PASSWORD default
-----------------------------
By default, the PASSWORD parameter is prompted for and the user is
allowed to enter *NONE, *USRPRF, or *RANDOM. You may choose one of
the values and prevent the user from making a change by use of the
CPYUSRPRF2 Application Value. As an *ALLOBJ user, enter:
EDTAPPVAL APPVAL(TAASECURE/CPYUSRPRF2)
The shipped default is *DFT which means the user of the command may
choose either *NONE, *USRPRF, or *RANDOM. By entering *NONE,
*USRPRF, or *RANDOM, the choice is removed from the user of
CPYUSRPRF2.
Use with the TAADPTSEC Authorization List
-----------------------------------------
An alternative approach is to allow for multiple assistant security
officers who can each manage a set of unique user profiles. This is
called a 'Departmental Security Officer'. See the discussion of the
TAADPTSEC authorization list in the SECOFR2 tool documentation.
Differences with the CPYUSRPRF tool
-----------------------------------
The CPYUSRPRF TAA Tool is intended to be used in a CL program that is
invoked by the Security Officer or in a program that adopts the
Security Officers profile. The command requires the user to be
authorized to the CRTUSRPRF command.
CPYUSRPRF2 is a similar function, but is intended to be used by
Assistant Security Officers and is controlled by use of the
TAACPYUSR2 authorization list.
Copying from user profiles with groups and supplemental groups
--------------------------------------------------------------
If group profiles or supplemental groups exist with the profile to be
copied, the user performing the copy must be authorized to these
profiles.
Copying from user profiles with special authorities
---------------------------------------------------
By default, CPYUSRPRF2 will not allow copying from a user profile
that contains any special authorities such as *JOBCTL or *ALLOBJ.
This occurs because no special authorities are shipped in the data
area CPYUSRPRF2 in TAASECURE.
If the Security Officer determines that it should be valid to copy
from a user profile that contains a special authority, that special
authority must be entered into the CPYUSRPRF2 data area.
The EDTCONARR TAA Tool should be used as:
EDTCONARR DTAARA(TAASECURE/CPYUSRPRF2)
An edit display will appear. Each special authority that is
considered valid should be entered. The value entered must be in
upper case and appear exactly as the special authority appears in the
profile such as:
*JOBCTL
*SPLCTL
If both *JOBCTL and *SPLCTL are entered, it would be valid to copy
from a user profile that had either or both. However, a user profile
that contained either or both plus another special authority (such as
*SERVICE) could not be used.
In general, the Security Officer should not include the special
authorities *ALLOBJ, *SECADM, and *SERVICE. Any user profiles
requiring this level of control should be created manually.
Changing the text of the CPF1118 message for 'No password'
----------------------------------------------------------
If you create profiles with the default of PASSWORD(*NONE), when the
user signs on he will see the message:
CPF1118 No password associated with user xxx.
It is possible to change the text of this message by using the
WRKMSGD command:
WRKMSGD MSGID(CPF1118)
Use Option 2 to see the current message text.
You may want to add to the First level message text '... with user
&1. Call the Help Desk Xnnnn.'
Changing the message text must be done for each release of the
operating system. You could have a CL program that makes any
required changes on each new release and use the CHGMSGD command such
as:
CHGMSGD MSGID(CPF1118) MSGF(QCPFMSG) +
MSG('No password associated with +
user &1. Call the Help Desk Xnnnn.')
Command parameters *CMD
------------------
FROMUSRPRF The from user profile to be used as a base. Most
meaningful parameters will be copied.
TOUSRPRF The new profile to be created. The PASSWORD
parameter is set to the same name as the user. The
PWDEXP parameter is set to *YES to force the user to
change the password at the next signon.
PASSWORD The password to be assigned.
The default may be fixed by an option in the
CPYUSRPRF2 Application Value in TAASECURE. This
prevents the user from changing the value.
The shipped default for the Application Value is
*DFT which cause the command prompt to be filled
with *NONE, but the values *USRPRF or *RANDOM may be
entered.
*NONE means the profile may not be signed onto. The
intent of *NONE is to avoid creating a user profile
with an obvious password that may not be used for
some time.
When the user attempts to signon, a specific system
message (CPF1118) describes that the profile cannot
be signed onto. If the user calls a help desk, the
help desk can use the TAA INZPWD command to
initialize the password to the user profile name or
a random password. The user can then signon, but is
required to change his password immediately.
It is possible to change the message text of CPF1118
to your situation. See the previous discussion.
*USRPRF may be specified to create the profile with
a password of the same value as the profile name.
When the user signs on, he is required to change his
password immediately.
*RANDOM may be entered to generate a random
password. This uses the TAA INZPWD tool to generate
the random password. The password expiration is
then set to the value of the PWDEXP keyword. INZPWD
also provides an option to disable the user profile
if the user does not signon during the same day.
See the discussion with the INZPWD tool.
Note that the password parameter does not allow the
entry of a value other than *NONE, *USRPRF, or
*RANDOM. The user of the command cannot enter other
characters to make a specific password.
TEXT The text description of the new profile to be
created.
PWDEXP Ignored unless PASSWORD(*RANDOM) is used. If *YES,
then set the password to expired so the user must
change it on first use. If *NO, then the randomly
generated password can be used to sign on. The
default is *YES.
CHGOWN Specifies if CHGOBJOWN should be run to transfer
ownership of the newly created user profile to
QSECOFR. If *YES, then the owner will be QSECOFR
for disaster recovery reasons. See the full
documentation for the tool to see when this might
apply. If *NO, then the owner of the new profile is
the default owner. The default is *YES.
Restrictions
------------
Not all of the attributes of the user profile are copied. Some
parameters make no sense to copy as the system creates new values
such as MSGQ, GID, and UID. Some parameters such as SUPGRPPRF
(supplemental group profiles) are not supported.
Prerequisites
-------------
The following TAA Tools must be on your system:
CHKAPOST Check apostrophes
INZPWD Initialize password
RTVSPCAUT Retrieve special authorities
SNDCOMPMSG Send completion message
Implementation
--------------
None, the tool is ready to use.
If the Security Officer wants to allow copying of user profiles that
contain special authorities, they must be entered as described
previously.
Objects used by the tool
------------------------
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
CPYUSRPRF2 *CMD TAASEDR QATTCMD
TAASEDRC *PGM CLP TAASEDRC QATTCL
TAASEDRC2 *PGM CLP TAASEDRC2 QATTCL
TAASEDRC2 is a prompt override program to supply the text description
from the Copy From user profile.
|
