Académique Documents
Professionnel Documents
Culture Documents
1, What is the command to request system to list out member of a particular group
profile with the assumption that my user ID is just a normal user ID (without
SECADM function). Please help.
dspusrprf usrprf(grpxxx) type(*grpmbr)
SECURITY
AS400 security is related to creating limitations to a user for what he can access, operate
and manage in the system.
User profile
User profiles are used to identify users to the systems and verify authorities on the system
(DSPUSRPRF, CHGUSRPRF, EDTOBJAUT)
User profiles tell the system who can sign on and what functions the user can perform on
the system on the system resources after signing on.
The user profile defines the following attributes for a particular user
1) User class
2) Object owned and authorized
3) Authorization of objects
4) Current library
5) Initial program and menu
6) Maximum storage allowed
7) Priority limit
8) Group profile
More...
F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display
F24=More keys
User class
When identifying a user on the system you can specify the user class in the user profile.
AS/400 has five user classes that determine the level of systems access a user is permitted.
The five user classes, starting the highest level of access, are:
Object Authority
Object authority, or the right to user to use or control an object comes in two categories.
Object rights
Data rights
*CHANGE The user can change and perform basic functions on the object.
*ALL The user can control the object's existence, specify the security for the
object, change the
*USE The user can perform basic operations on the object, such as running a
program or reading
Object rights
*OBJEXIST Object existence authority provides the authority to control the object's
existence and
ownership like delete an object, free storage for an object, perform save and
restore
operations for an object, or transfer ownership of an object.
*OBJMGT Object management authority provides the authority to the security for the
object, move or
rename the object, and add members to database files.
Data rights
Data rights apply to the data contained within the object.
*ADD Add authority provides the authority to add entries to an object (for example, job
entries to an
queue or records to a file).
*DLT Delete authority allows the user to remove entries from an object (for example,
remove
messages from a message queue or records from a file.)
*READ Read authority provides the authority needed to show the contents of an object.
*UPD Update authority provides the authority to change the entries in an object.
*EXECUTE Execute authority provides the authority needed to run a program or locate an
object in a
library or directory.
Object ----------Object-----------
User Group Authority Opr Mgt Exist Alter Ref
*PUBLIC *CHANGE X
*GROUP G#SAFE *ALL X X X X X
Bottom
F3=Exit F5=Refresh F6=Add new users F10=Grant with reference
object
F11=Display data authorities F12=Cancel F17=Top F18=Bottom
Object ----------Object-----------
User Authority Opr Mgt Exist Alter Ref
_______ _______ __ __ __ __ __
More...
F3=Exit F11=Display data authorities F12=Cancel F17=Top F18=Bottom
Object ---------------Data---------------
User Authority Read Add Update Delete Execute
Z03OPER *USE _x__ __ __ __ __
Object ----------Object-----------
User Group Authority Opr Mgt Exist Alter Ref
*PUBLIC *CHANGE X
*GROUP G#SAFE *ALL X X X X X
Z03OPER USER DEF X X X X X
Object ---------------Data---------------
User Group Authority Read Add Update Delete Execute
*PUBLIC *CHANGE X X X X X
*GROUP G#SAFE *ALL X X X X X
Z03OPER USER DEF X
Bottom
F3=Exit F5=Refresh F6=Add new users F10=Grant with reference object
F11=Display data authorities F12=Cancel F17=Top F18=Bottom
Group profile
It is a profile that facilitates a number of users to get the same authority for
an object.
Additional Parameters
Bottom
F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display
F24=More keys
A lock state identifies the use of the object and whether it is shared.
Exclusive (*EXCL). The object is reserved for the exclusive use of the requesting job; no
other jobs can use the object. However, if the object is already allocated to another job,
your job cannot get exclusive use of the object. This lock state is appropriate when a user
does not want any other user to have access to the object until the function being
performed is complete.
Exclusive allow read (*EXCLRD). The object is allocated to the job that requested it, but
other jobs can read the object. This lock is appropriate when a user wants to prevent other
users from performing any operation other than a read.
Shared for update (*SHRUPD). The object can be shared either for update or read with
another job. That is, another user can request either a shared-for-read lock state or a
shared-for-update lock state for the same object. This lock state is appropriate when a
user intends to change an object but wants to allow other users to read or change the same
object.
Shared no update (*SHRNUP). The object can be shared with another job if the job
requests either a shared-no-update lock state, or a shared-for-read lock state. This lock
state is appropriate when a user does not intend to change an object but wants to ensure
that no other user changes the object.
Shared for read (*SHRRD). The object can be shared with another job if the user does
not request exclusive use of the object. That is, another user can request an exclusive-
allow-read, shared-for-update, shared-for-read, or shared-no-update lock state.
If one job obtains this lock state: | Another job can obtain this lock
state:
*EXCL None
*EXCLRD *SHRRD