IBM i Global

IBM i 

A space for professionals working with IBM’s integrated OS for Power systems to exchange ideas, ask questions, and share expertise on topics like RPG and COBOL development, application modernization, open source integration, system administration, and business continuity.


#Power


#IBMi
 View Only

  • 1.  Service Account Cannot Access All User Profiles

    Posted Mon July 10, 2023 11:39 AM
      |   view attached

    We have a service account--ABCGEODB--used from an external server to pull from qsys2.user_Info. Recently, we have noticed that newly created user profiles are not on the list.  When someone with *ALLOBJ ran the query from the IBM i--THISSERVER--all expected records were on the list.  When I ran the query with my more limited access, I was missing two users. When I tried to display one of them from a command line, I saw Not authorized to user profile ABCTDUNC. We believe we simply need to add some special authority to the service account, which we can test with my account.  We are at a loss as to which special authority to add. 

    Thank you for your input. 

    select * from qsys2.user_Info 
    where authorization_name like '%ABC%' 
    and supplemental_group_List like '%DEFGHIJ%' 
    order by 1 
    ;



    ------------------------------
    David Taylor
    ------------------------------

    Attachment(s)

    txt
    ABCGEODB.txt   7 KB 1 version


  • 2.  RE: Service Account Cannot Access All User Profiles

    Posted Mon July 10, 2023 11:26 PM

    Dear Davis

    Please try assigning the special authority *SECADM.     *SECADM is for allowing a user to work with user profiles on the system. 



    ------------------------------
    Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
    ------------------------------
    Satid S.
    ------------------------------

    Original Message


  • 3.  RE: Service Account Cannot Access All User Profiles

    Posted Tue July 11, 2023 03:33 AM
    Edited by Dominique Gayte Tue July 11, 2023 03:34 AM

    Dear David,
    The ABCGEODB user profile must have the special authority *SECADM to use QSYS2. USER_INFO (or be authorized via Change Function Usage (CHGFCNUSG) for function ID QIBM_DB_SECADM). 

    But, he can only see the user profiles on which he has the *USE right.

    You may have recently changed the rights management when creating profiles (the default is *EXCLUDE) so that the profile used no longer has rights to new profiles.

    You can:
    • Give the special right *ALLOBJ to ABCGEODB. This is the easiest to do but I strongly advise against it
    • Put a public right *USE to newly created user profiles, which I also advise against
    • It remains to give a private right *USE to ABCGEODB for all the profiles concerned.

    The public rights of old profiles should be checked. If they are not at *EXCLUDE, that's not a good thing. But be careful before modifying this value it could lead to malfunctions. You can test on a profile, understand why the public rights are not at *EXCLUDE (JOBD, Batch ...).

    I hope that is clear.

    ------------------------------
    Dominique Gayte
    ------------------------------

    Original Message


  • 4.  RE: Service Account Cannot Access All User Profiles

    Posted Tue July 11, 2023 03:48 AM

    David,

    As per IBM documentation: 

    Authorization: Only *USRPRF objects that the caller has *OBJOPR and *READ authority to will be returned. To see a non-null value for the USER_DEFAULT_PASSWORD column, the caller must have *ALLOBJ and *SECADM authority.

    Regards,



    ------------------------------
    Keith Pryke
    ------------------------------

    Original Message


  • 5.  RE: Service Account Cannot Access All User Profiles

    Posted Tue July 11, 2023 08:12 AM

    By this time this question was reviewed and posted, another group where I posted the question recommended looking at the user profile object authority.  We found that indeed the working profiles had one set of object authorities assign and the failing profiles were missing one or two of the authorities.  We used the grant object authority from the service account to the failing accounts and resolved the problem. Thanks for the input. 

    GRTOBJAUT OBJ(ABCTDUNC) OBJTYPE(*USRPRF) REFOBJ(ABCGEODB) REFOBJTYPE(*USRPRF)     



    ------------------------------
    David Taylor
    ------------------------------

    Original Message


  • 6.  RE: Service Account Cannot Access All User Profiles

    Posted Tue July 11, 2023 03:46 PM

    Hopefully you have not opened up the authority on your user profiles very much.  You could be creating an exposure where users are now able to submit jobs to run under OTHER users.



    ------------------------------
    Steven Riedmueller
    Certified IBM i Admin
    Speaker, Mentor, and Advocate
    ------------------------------

    Original Message


  • 7.  RE: Service Account Cannot Access All User Profiles

    Posted Wed July 12, 2023 07:30 AM

    I thought REFOBJ(ABCGEODB) REFOBJTYPE(*USRPRF)  was a unique way to solve this.  I would have thought you would have done the following instead:  USER(ABCGEODB) AUT(*OBJOPR *READ)

    The reason this concerns me is that ABCGEODB now has all the authority to those profiles as he does to his own.  Including the ability to change their passwords, etc.  However if you had used USER(ABCGEODB) AUT(*OBJOPR *READ) instead then that user would only be allowed to read it.  Tested with the following:

    CRTUSRPRF USRPRF(DUMMY) PASSWORD(...)

    Signed on as DUMMY.  Tried sql

    select * from qsys2.user_Info        
    where authorization_name like '%ROB%'

    and no rows returned.

    Then I ran

    GRTOBJAUT OBJ(ROB) OBJTYPE(*USRPRF) USER(DUMMY) AUT(*OBJOPR *READ)

    Then I signed back on as dummy and tried the sql and it worked.

    Then I promptly deleted DUMMY.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------

    Original Message


  • 8.  RE: Service Account Cannot Access All User Profiles

    Posted Wed July 26, 2023 12:44 PM

    After working some with the SYS ADMIN, we narrowed this down and granted authority to the base user profile created for the purpose. The user profile is a service account. 

    GRTOBJAUT OBJ(ABCDTAYL) OBJTYPE(*USRPRF) USER(SERVICE)  



    ------------------------------
    David Taylor
    ------------------------------

    Original Message


Related Content