Power Global

Power Global

Connect, learn, share, and engage with IBM Power.

 View Only

  • 1.  Allow a helpdesk to use Navigator for I to manage *users passwords and status?

    Posted Tue November 26, 2024 07:44 PM

    Hi.  Is there an accepted practice for allowing a Helpdesk to use Navigator for I to manage *users passwords and statuses?

    Could a Helpdesk user-profile be configured to limit their ability to just managing other user profiles of class *user?



    ------------------------------
    Joe Koontz
    ------------------------------


  • 2.  RE: Allow a helpdesk to use Navigator for I to manage *users passwords and status?

    Posted Tue November 26, 2024 08:39 PM
    Edited by Satid S Tue November 26, 2024 08:41 PM

    Dear Joe

    First you should make use of the following features in Navigator for i GUI :

    For a user profile to be able to work with all user profiles in the system, you assign *SECADM special authority to that user profile. (You can start audit journaling for this user if traceablity is desired.) I know of no way to restrict this to *USER class profiles. 

    Other security topic for B=Navigator for i : https://www.ibm.com/support/pages/navigator-i-security     



    ------------------------------
    Satid S
    ------------------------------

    Original Message


  • 3.  RE: Allow a helpdesk to use Navigator for I to manage *users passwords and status?

    Posted Wed November 27, 2024 04:04 AM

    @Joe There is nothing within IBM i itself that would allow you to do that. However, Navigator uses the CHGUSRPRF command to change user profiles.

    With a solution that can control the usage of CL commands, you can limit this in the way that you describe. That at the same time allows you to control the action of the Help Desk user even if they use a different interface, such as green-screen access or QCMDEXC over ODBC. 

    My employer sells such a solution: Command Security | IBM i Commands| Fortra

    Kurt



    ------------------------------
    Kurt Thomas
    Senior System Engineere
    Fortra
    ------------------------------

    Original Message


  • 4.  RE: Allow a helpdesk to use Navigator for I to manage *users passwords and status?

    Posted Wed November 27, 2024 07:14 AM

    My suggestion is look at something that will allow you to authenticate against an external system like LDAP.

    I get you don't want to have to reset passwords but that is just another part of account management that you could get rid by going to something like LDAP.

    Before we moved to external we had a shell script would allow them to reset password that did input validation. Only admin's could change root or other admins accounts.



    ------------------------------
    Alexander Pettitt
    ------------------------------

    Original Message


  • 5.  RE: Allow a helpdesk to use Navigator for I to manage *users passwords and status?

    Posted Thu November 28, 2024 02:27 AM
    Edited by Thomas Barlen Thu November 28, 2024 02:27 AM

    Hi Joe, 

    What you can do is to provide helpdesk users a *CHANGE authority to user profiles that they should be allowed to manage and give them *SECADM special authority. That way they can only modify those users. This does not limit the ability to just change the status and password. It also affects other parameters. But that would be a native solution without any additional tools or programming.

    Of course, you could have a small CL program that runs every night or as an exit program when a user gets created or changed that would automatically grant helpdesk users the *CHANGE permission when the criteria is met.



    ------------------------------
    Thomas Barlen
    ------------------------------

    Original Message


  • 6.  RE: Allow a helpdesk to use Navigator for I to manage *users passwords and status?

    Posted Thu November 28, 2024 02:30 AM

    The best solution is to develop a new command that allows to reset a profile (with the restrictions you want) and run it with adopted authority.

    This way you can easily give it to a helpdesk (not as a web interface howver) without any security issues.

    Can be done if a few hours so it's not a big deal.



    ------------------------------
    Paul Nicolay
    ------------------------------

    Original Message


  • 7.  RE: Allow a helpdesk to use Navigator for I to manage *users passwords and status?

    Posted Thu November 28, 2024 01:54 PM

    Hi @Joe Koontz,

    Based on the need here i would highly recommend not to assign *SECADM authority to the users for just resetting the password. You can create a program that adopts the authority of another user and simply enables the users and change the password.  You can also mention the user profiles in the program those should never be allowed to be changed by this program used by any helpdesk person.

    Please refer to the below knowledge article if you would like to implement this.

    Allowing Users without SECADM Authority to Reset User Profiles



    ------------------------------
    Rohit Chauhan
    Senior Technical Specialist
    Norway
    ------------------------------

    Original Message


  • 8.  RE: Allow a helpdesk to use Navigator for I to manage *users passwords and status?

    Posted Fri November 29, 2024 02:16 AM
    Edited by Marius le Roux Fri November 29, 2024 02:19 AM

    Hi Joe, 

    Normally Navigator for i is somewhat "clunky" and buggy when limited to user class, it is more of an Admin tool than say a "user tool" , though you can limit somewhat of the functions with.

    If there is some apatite for a "load and go" open source utility, you may find some of these worthwhile to explore: 

    http://www.easy400.net/pwdreset/html/page1.htm

    http://www.easy400.net/chgpwd/html/page1.htm

    Usually, the person just asks for a donation amount to obtain the utilities, and is well-written. 

    Else the simple CL that Rohit suggested could work aswell behind a simple web interface that any developer can do (might want to add some additional 2nd factor auth stuff as security measures though). 

    but if your business requires stricter audit requirements with logging capabilities, this solution will be worth your money: 

    https://www.kisco.com/ibm-i-security-and-compliance-software.html

    and as Kurt Mentioned : https://www.fortra.com/products/password-self-service-tool-ibm-i

    HTH 

    Marius



    ------------------------------
    Marius le Roux
    Owner
    MLR Consulting
    ------------------------------

    Original Message


Related Content