USER PROFILE

1, What is the command to request system to list out member of a particular group
profile with the assumption that my user ID is just a normal user ID (without
SECADM function). Please help.
dspusrprf usrprf(grpxxx) type(*grpmbr)

SECURITY
AS400 security is related to creating limitations to a user for what he can access, operate
and manage in the system.

User profile
User profiles are used to identify users to the systems and verify authorities on the system
(DSPUSRPRF, CHGUSRPRF, EDTOBJAUT)

User profiles tell the system who can sign on and what functions the user can perform on
the system on the system resources after signing on.

The security officer or security administrator can create it.

The user profile defines the following attributes for a particular user

1) User class
2) Object owned and authorized
3) Authorization of objects
4) Current library
5) Initial program and menu
6) Maximum storage allowed
7) Priority limit
8) Group profile

Create User Profile (CRTUSRPRF)

Type choices, press Enter.

User profile . . . . . . . . . . > iRobo Name

 User password . . . . . . . . . *USRPRF Character value, *USRPRF...
Set password to expired . . . . *NO *NO, *YES
Status . . . . . . . . . . . . . *ENABLED *ENABLED, *DISABLED
User class . . . . . . . . . . . *USER *USER, *SYSOPR, *PGMR...
Assistance level . . . . . . . . *SYSVAL *SYSVAL, *BASIC, *INTERMED...
Current library . . . . . . . . *CRTDFT Name, *CRTDFT
Initial program to call . . . . *NONE Name, *NONE
Library . . . . . . . . . . . Name, *LIBL, *CURLIB
Initial menu . . . . . . . . . . MAIN Name, *SIGNOFF
Library . . . . . . . . . . . *LIBL Name, *LIBL, *CURLIB
Display sign-on information . . *SYSVAL *SYSVAL, *NO, *YES
Maximum allowed storage . . . . *NOMAX Kilobytes, *NOMAX
Highest schedule priority . . . 3 0-9
Job description . . . . . . . . QDFTJOBD Name
Library . . . . . . . . . . . *LIBL Name, *LIBL, *CURLIB

Group profile . . . . . . . . . *NONE Name, *NONE

Owner . . . . . . . . . . . . . *USRPRF *USRPRF, *GRPPRF
Group authority . . . . . . . . *NONE *NONE, *ALL, *CHANGE, *USE...
Group authority type . . . . . . *PRIVATE *PRIVATE, *PGP

More...
F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display
F24=More keys

User class
When identifying a user on the system you can specify the user class in the user profile.
AS/400 has five user classes that determine the level of systems access a user is permitted.
The five user classes, starting the highest level of access, are:

Security officer (*SECOFR)

Security administrator (*SECADM)
Programmer (*PGMR)
System operator (*SYSOPR)
User (*USER)

Object Authority

Object authority, or the right to user to use or control an object comes in two categories.
 Object rights
Data rights

Object Authority Type

*EXCLUDE The user cannot access the object.

*CHANGE The user can change and perform basic functions on the object.

*ALL The user can control the object's existence, specify the security for the
object, change the

Object, and perform basic functions on the object.

*USE The user can perform basic operations on the object, such as running a
program or reading

a file. The user cannot change the object.

Object rights

Object rights assign a user the following authority

Operational rights (*OPER)
Object management rights (*OBJMGT)
Object existence rights (*OBJEXT)
Object Alter rights
Object ref rights

*OBJEXIST Object existence authority provides the authority to control the object's
existence and
ownership like delete an object, free storage for an object, perform save and
restore
 operations for an object, or transfer ownership of an object.

*OBJMGT Object management authority provides the authority to the security for the
object, move or
rename the object, and add members to database files.

*OBJOPR Object operational authority provides authority to look at the description of an

object and
to use the object as determined by the user's data authority to the object.

Data rights
Data rights apply to the data contained within the object.

*ADD Add authority provides the authority to add entries to an object (for example, job
entries to an
queue or records to a file).

*DLT Delete authority allows the user to remove entries from an object (for example,
remove
messages from a message queue or records from a file.)

*READ Read authority provides the authority needed to show the contents of an object.

*UPD Update authority provides the authority to change the entries in an object.

*EXECUTE Execute authority provides the authority needed to run a program or locate an
object in a
library or directory.

Edit Object Authority

Object . . . . . . . : ADDCL Owner . . . . . . . : G#SAFE

Library . . . . . : AMINEM Primary group . . . : *NONE
Object type . . . . : *PGM ASP device . . . . . : *SYSBAS

Type changes to current authorities, press Enter.

 Object secured by authorization list . . . . . . . . . . . . *NONE

Object ----------Object-----------
User Group Authority Opr Mgt Exist Alter Ref
*PUBLIC *CHANGE X
*GROUP G#SAFE *ALL X X X X X

Bottom
F3=Exit F5=Refresh F6=Add new users F10=Grant with reference
object
F11=Display data authorities F12=Cancel F17=Top F18=Bottom

OBJECT AUTHORITY: *USE, *CHANGE, *

Add New Users

Object . . . . . . . : ADDCL Owner . . . . . . . : G#SAFE

Library . . . . . : AMINEM Primary group . . . : *NONE
Object type . . . . : *PGM ASP device . . . . . : *SYSBAS

Type new users, press Enter.

Object ----------Object-----------
User Authority Opr Mgt Exist Alter Ref

_______ _______ __ __ __ __ __

More...
F3=Exit F11=Display data authorities F12=Cancel F17=Top F18=Bottom

Add New Users

Object . . . . . . . : ADDCL Owner . . . . . . . : G#SAFE

Library . . . . . : AMINEM Primary group . . . : *NONE
Object type . . . . : *PGM ASP device . . . . . : *SYSBAS

Type new users, press Enter.

Object ---------------Data---------------
User Authority Read Add Update Delete Execute
Z03OPER *USE _x__ __ __ __ __

Work with Objects

Type options, press Enter.

 2=Edit authority 3=Copy 4=Delete 5=Display authority 7=Rename
8=Display description 13=Change description

Opt Object Type Library Attribute Text

2 ADDCL *PGM AMINEM CLP clp prm to add 2 var
CAP52I00 *PGM AMINEM CBL Account fee condition intro
CFP13RA0M *PGM AMINEM CBL Fee Statement Extraction pg
ENTRY_CL *PGM AMINEM CLP ENTRY CL PGM
FPT1_PGM *PGM AMINEM RPG entry pgm to be called
More...
Parameters for options 5, 7 and 13 or command
===>
F3=Exit F4=Prompt F5=Refresh F9=Retrieve F11=Display names and types
F12=Cancel F16=Repeat position to F17=Position to
Not authorized to change authorities. >>>>>>>>>>>>>>>>>>>>>>>>

Edit Object Authority

Object . . . . . . . : ADDCL Owner . . . . . . . : G#SAFE

Library . . . . . : AMINEM Primary group . . . : *NONE
Object type . . . . : *PGM ASP device . . . . . : *SYSBAS

Type changes to current authorities, press Enter.

Object secured by authorization list . . . . . . . . . . . . *NONE

Object ----------Object-----------
User Group Authority Opr Mgt Exist Alter Ref
*PUBLIC *CHANGE X
*GROUP G#SAFE *ALL X X X X X
Z03OPER USER DEF X X X X X

Object ---------------Data---------------
User Group Authority Read Add Update Delete Execute
*PUBLIC *CHANGE X X X X X
*GROUP G#SAFE *ALL X X X X X
Z03OPER USER DEF X

Bottom
F3=Exit F5=Refresh F6=Add new users F10=Grant with reference object
F11=Display data authorities F12=Cancel F17=Top F18=Bottom

Work with Objects

Type options, press Enter.

2=Edit authority 3=Copy 4=Delete 5=Display authority 7=Rename
8=Display description 13=Change description

Opt Object Type Library Attribute Text

ADDCL *PGM AMINEM CLP clp prm to add 2 var
CAP52I00 *PGM AMINEM CBL Account fee condition intro
CFP13RA0M *PGM AMINEM CBL Fee Statement Extraction pg
ENTRY_CL *PGM AMINEM CLP ENTRY CL PGM
FPT1_PGM *PGM AMINEM RPG entry pgm to be called
 GEN *PGM AMINEM RPGLE GENERATION OF ACCOUNT NUMBE
More...
Parameters for options 5, 7 and 13 or command
===> call aminem/addcl
F3=Exit F4=Prompt F5=Refresh F9=Retrieve F11=Display names and types
F12=Cancel F16=Repeat position to F17=Position to

Not authorized to program ADDCL in library AMINEM. >>>>>>>>>>>>>>>>>>>>>>

Group profile

It is a profile that facilitates a number of users to get the same authority for
an object.

Authority List (*AUTL) If we want different authority to different user,

then we go for Authority List.
Create Authorization List (CRTAUTL)

Type choices, press Enter.

Authorization list . . . . . . . AUTH01 Name

Text 'description' . . . . . . . *BLANK

Additional Parameters

Authority . . . . . . . . . . . *USE *CHANGE, *ALL, *USE, *EXCLUDE

Bottom
F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display
F24=More keys

Authorization list AUTH01 created.

Add Authorization List Entry (ADDAUTLE)

Type choices, press Enter.

Authorization list . . . . . . . > AUTH01 Name, generic*

User . . . . . . . . . . . . . . > AJAISWAL Name
+ for more values + >>>>>>>>>>>>>>> To add more user
Authority . . . . . . . . . . . *CHANGE *EXCLUDE, *CHANGE, *ALL...
+ for more values
 Bottom
F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display
F24=More keys

Lock states for objects

A lock state identifies the use of the object and whether it is shared.

Exclusive (*EXCL). The object is reserved for the exclusive use of the requesting job; no
other jobs can use the object. However, if the object is already allocated to another job,
your job cannot get exclusive use of the object. This lock state is appropriate when a user
does not want any other user to have access to the object until the function being
performed is complete.

Exclusive allow read (*EXCLRD). The object is allocated to the job that requested it, but
other jobs can read the object. This lock is appropriate when a user wants to prevent other
users from performing any operation other than a read.

Shared for update (*SHRUPD). The object can be shared either for update or read with
another job. That is, another user can request either a shared-for-read lock state or a
shared-for-update lock state for the same object. This lock state is appropriate when a
user intends to change an object but wants to allow other users to read or change the same
object.

Shared no update (*SHRNUP). The object can be shared with another job if the job
requests either a shared-no-update lock state, or a shared-for-read lock state. This lock
 state is appropriate when a user does not intend to change an object but wants to ensure
that no other user changes the object.

Shared for read (*SHRRD). The object can be shared with another job if the user does
not request exclusive use of the object. That is, another user can request an exclusive-
allow-read, shared-for-update, shared-for-read, or shared-no-update lock state.

Table 31. Valid lock state combinations

If one job obtains this lock state: | Another job can obtain this lock
state:

*EXCL None

*EXCLRD *SHRRD

*SHRUPD *SHRUPD or *SHRRD

*SHRNUP *SHRNUP or *SHRRD

*SHRRD *EXCLRD, *SHRUPD, *SHRNUP, or

*SHRRD