TAA Tools


 The Display  Profile Authorizations command  displays one,  generic, or
 all profiles  and flags those  where the *PUBLIC or  an authorized user
 has  at least  *USE rights  to the  user profile.   The  owner, *ALLOBJ
 users, and  certain system profiles  are bypassed.   The user  profiles
 that are  flagged represent  a security exposure  as the *PUBLIC  or an
 authorized  user can submit  a job as  the user profile or  swap to the
 user profile.

 You must have *ALLOBJ authority to use DSPPRFAUT.

 A typical command would be:

              DSPPRFAUT  USRPRF(*ALL)

 All user  profiles would  be  listed along  with the  authorized  users
 (the  owning  user  profile  would  be bypassed).    If  a  *PUBLIC  or
 authorized  user has at least  *USE authority to the  user profile, the
 user would be flagged.  *ALLOBJ  users and certain system profiles  are
 bypassed to avoid clutter.

 Allowing the *PUBLIC  or a specified user  to have *USE authority  to a
 user profile, allows the *PUBLIC or authorized user to:

   **   Submit a job naming the user profile.

   **   Swap to the user profile during the running of a job.

 Both  of these  possibilities  represent  a security  exposure  in most

 In  addition, a user can  use WRKUSRPRF or DSPOBJD to  see the names of
 the user profiles on the system.

 Flagging user profile owners

 An option  exists on  the DSPPRFAUT to  flag those  user profiles  that
 are not  owned by  a list of  users.  The  default is *DFT  which means
 QSECOFR and QSYS.  You may name up to 300 users.

 Some  systems have  a requirement  that all user  profiles be  owned by
 designated profiles.   It  is not  necessarily a  security exposure  to
 have a user profile  owned by other that QSECOFR  or QSYS, but allowing
 the flag to occur can simplify checking for exception situations.

 Running under a profile that adopts *ALLOBJ

 If DSPPRFAUT  is run under a  profile that adopts an  *ALLOBJ user, the
 user profile *GROUP will be shown for  the user when a command such  as
 DSPOBJAUT is  used for the  profile.  The  *GROUP name also  appears in
 the  internal file  processed by  DSPPRFAUT.   Rather than  clutter the
 listing with this information, the *GROUP user profile is bypassed.

 DSPPRFAUT escape messages you can monitor for

 None.  Escape messages from based on functions will be re-sent.

 DSPPRFAUT Command parameters                          *CMD

    USRPRF        The  name or  generic name of  the user  profile to be
                  checked.  *ALL is  the default for all user  profiles.

    BYPOWN        A  *YES/*NO option  for  whether to  bypass the  owner
                  which   typically  has  all   authority  to  the  user
                  profile.  *YES is the default.

                  *NO  may   be   specified   to   include   the   owner

    AUTOWNERS     A  list  of up  to  300  owners  may be  specified  to
                  prevent  flagging.   The default  is *DFT  which means
                  QSECOFR and QSYS.

                  If a  user profile  is  not owned  by  a user  in  the
                  list, the user profile is flagged.

                  You  may want  to  add your  own  list of  valid  user
                  profiles that are allowed to own other profiles.

    REFRESH       An  option  to  determine  if  the  DSPUSRPRF  OUTFILE
                  function  is used to refresh  the TAASECKP file in the
                  TAASECURE library.   The default  is *YES meaning  the
                  file will be refreshed.

                  *DAYCHG  may be  specified which  means the  file will
                  be  refreshed if  the  last time  the file  was output
                  was on  a different  day.   *DAYCHG  assumes that  you
                  are using the  command repeatedly on the  same day and
                  do not want to keep refreshing the information.

                  *NO  may be specified  to use  the existing data.   If
                  no data exists, the file is output.

    OUTPUT        How to  output  the results.    * is  the  default  to
                  display the  spooled file  if the  command is  entered
                  interactively.   The spooled file is  deleted after it
                  is displayed.

                  If  the  command  is  entered in  batch  or  *PRINT is
                  specified, the  spooled file is  output and  retained.


 You must have *ALLOBJ authority to use DSPPRFAUT.


 The following TAA Tools must be on your system:

      CHKALLOBJ       Check *ALLOBJ special authority
      CHKGENERC       Check generic name
      CRTLFSRC        Create logical file source
      CVTDAT          Convert date
      CVTLIBAUT       Convert library authorizations
      EXTLST2         Extract list 2
      RMVMSGKEY       Remove message key
      RTVSYSVAL3      Retrieve system value 3
      SCNVAR          Scan variable
      SNDCOMPMSG      Send completion message
      SNDESCINF       Send escape information
      SNDESCMSG       Send escape message


 None, the tool is ready to use.

 Objects used by the tool

    Object        Type    Attribute      Src member    Src file
    ------        ----    ---------      ----------    ----------

    DSPPRFAUT     *CMD                   TAASEIW       QATTCMD
    TAASEIWC      *PGM       CLP         TAASEIWC      QATTCL
    TAASEIWC2     *PGM       CLP         TAASEIWC2     QATTCL
    TAASEIWR      *PGM       RPG         TAASEIWR      QATTRPG

Added to TAA Productivity Tools July 15, 2011

Home Page

Last modified on November 19, 2014 © 1995, 2014 - TAA Tools, Inc.