Midrange News for the IBM i Community


Posted by: Paulster
Freelancer/Consultant
PvD Consultancy AB
Sweden and The Netherlands
Password reset / Activate profile
has no ratings.
Published: 02 May 2013
Revised: 03 May 2013 - 4004 days ago
Last viewed on: 19 Apr 2024 (4494 views) 

Using IBM i? Need to create Excel, CSV, HTML, JSON, PDF, SPOOL reports? Learn more about the fastest and least expensive tool for the job: SQL iQuery.

Password reset / Activate profile Published by: Paulster on 02 May 2013 view comments(2)

Hi Lads and lassies,

 

Being a small ICT department and the summer holidays coming up soon, I'm interested in writing a little routine, probably CL, that allows an ordinary end-user to activate his own or his colleague's profile or reset his password. I could not find an older discussion on this subject on this forum so I started a new thread.

Questions are:

- do you have such routines?

- if so, what do they generally do?

- what precautions do you take to avoid abuse? After all, you don't want someone resetting the admin profile!

We are under SOX rules and laws so I'm not sure this goes at all but I'm happy to get some tips at least. If SOX renders us unable to use the routines for ordinary end-users, we'll stick to authorizing the ICT dept employees only.

 

I already got the following:

- do not allow activation of profile with higher authority

- write relevant text to journal

 

Thanks in advance,

Paulster

Return to midrangenews.com home page.
Sort Ascend | Descend

COMMENTS

(Sign in to Post a Comment)
Posted by: DaleB
Premium member *
Reading, PA
Comment on: Password reset / Activate profile
Posted: 10 years 11 months 18 days 23 hours 29 minutes ago

We have a profile that the Help Desk uses. Their sign on takes them directly into the program. It prompts for userprofile name, and it both sets a new password and changes status to *ENABLED. Up to the Help Desk to verify they're who they say they are. The program has a table of prohibited user profiles; pretty much all Q*, plus a few local application object owner and interface-only profiles.

You could do something similar, but to make it self service you'd have to authenticate somehow. Maybe a combination of something from their employee record, like employee Id number and SSN, plus a passphrase, security question, or something like that which you'd have to store somewhere.

Use an easy to remember id, like ENABLE password ENABLE. The signon program would call the password reset program, and end with SIGNOFF. Limited capability *YES, of course.  Maybe initial menu *SIGNOFF. The program, btw, has to run with adopted authority of at least a *SECADM, maybe *ALLOBJ depending on who's password needs to be reset (our program is owned by QSECOFR).

I'm not sure I'd allow someone to reset someone else's password.

Another way to go is to train a backup security officer. Or you could put the QSECOFR password in a sealed envelope, in the hands of a trusted person, and they only open it if something comes up while you're away.

Posted by: Paulster
Premium member *
Sweden and The Netherlands
Comment on: Password reset / Activate profile
Posted: 10 years 11 months 18 days 6 hours 11 minutes ago

Thanks for your input Dale.

We currently have the HelpDesk profile in combination with the sealed envelope thingy but no dedicated program for resetting the password och enabling it, they have to do the whole CHGUSRPRF thing instead.

As you pointed out, there's a lot of extra validations to be done before you allow the end-users to do the job. So I'll settle for a new command just for profile enabling and password changing that the HelpDesk profil can use instead of what's there today. Just to make things simpler for them.

Regards,

Paulster