SecureMyi.com Security and Systems Management Newsletter for the IBM i                             Issue Date:     October 30, 2018
Security Training from SecureMyi.com

Security Training from SecureMyi.com




Training from The 400 School



Training from The 400 School



Training from The 400 School

Feature Article

The RESETUSER Command

Use Adopted Authority For Resetting Passwords

. . . . But Use Safeguards ( Source Code Provided )

By Dan Riehl - SecureMyi.com

Sometimes IBM i Special Authorities are required by users that are not system administrators or security officers. For example, when users forget their passwords or disable their profiles through excessive failed attempts to log in, the helpdesk personnel or operations staff need the ability to reset the password and re-enable the user profile. The Special Authority required to perform these functions is called Security Administrator (*SECADM) Special Authority. In practice, All Object (*ALLOBJ) Special Authority is also needed to be able to perform these sensitive password resets. *ALLOBJ Special Authority is needed to ensure that the Help Desk or Operations Staff have enough authority to the User Profiles that they need to reset. Normally, User Profiles are created with a *PUBLIC authority of *Exclude, allowing changes only by very powerful system administrators which have *ALLOBJ and *SECADM special authority.

The simple solution is to just give all these Help Desk and Operations users *SECADM and *ALLOBJ special authority, however, *SECADM and *ALLOBJ special authority also lets users create and change other attributes of user profiles, and *ALLOBJ provides unrestricted access to all files, libraries, programs, etc. You do not want to give these users carte blanche to create and change user profiles at will, and you really do NOT want to give them full access to all *SECADM and *ALLOBJ special authority full time. You want to give them only the ability to reset passwords and status for selected user profiles. After all, you don't want to give the Help Desk and Operations staff the ability to reset the passwords for QSECOFR and other powerful profiles. You also do not want them to have the *ALLOBJ authority, to be able to change payroll amounts or view/change other sensitive data. This article discusses a very good method to allow a user to 'borrow' the *SECADM and *ALLOBJ authority required to reset a user profile, but then return that borrowed authority as soon as that distinct task is completed. This method prevents the use of the borrowed authority to do tasks that are beyond the user's scope or responsibility.

Borrowing Special Authority

One of the best methods to provide temporary use of the *SECADM and *ALLOBJ special authority is to use the IBM i facility called Program Adoption of Authority(PAA). Adoption of authority provides for temporary use of an elevated level of authority to perform functions that the user is not normally authorized to do. Here we deal with adopting the *SECADM and *ALLOBJ special authority to allow a user to reset a user profile status and password.

The Big Picture

The adopted authority technique can be used to adopt any special authority, with an ultimate view of removing, as much as possible, the assignment of any User Special Authorities.

The RESETUSER Command

The purpose of the RESETUSER command is to give a help desk or operations user the temporary authority to reset the password and/or status of a user profile.

The command consists of two parts, the command definition and the CL program. In order to secure the command and program, and to configure the program adoption of authority correctly, there are instructions for creating the command and the program. These step by step instructions are found at the end of the article.

SafeGuards in RESETUSER

We need to ensure that this command is not improperly used to reset the IBM-supplied user profiles like QSECOFR and QSYSOPR. You also want to ensure that the command cannot be used to reset the passwords for users who have powerful special authorities, such as *ALLOBJ, *SERVICE, *SAVSYS, *AUDIT, *IOSYSCFG and *SECADM. If these could be reset, it would provide a way for the user of the command to set a password for the powerful profiles, sign on as that profile, and perform unauthorized activities.

Note: You may also want to prohibit the user of the command to reset the password for certain power users, like the Accounting Manager, or Programming Manager. To do this, simply insert your own rules into the CL program code at the appropriate spot.

Examining the Code

The RESETUSER command definition accepts four parameters:

  • USER -- The user profile name to be reset
  • PASSWORD -- The new user password. The default is *USRPRF, which sets the password to the profile name. If the value *SAME is specified, no change to the user's password is performed. If a value other than *USRPRF and *SAME is specified, it will be set as the password for the user.

    Notice that the PASSWORD parameter specifies DSPINPUT(*PROMPT). This causes any password typed into the PASSWORD prompt to be displayed to the user of the command, but to keep it secret from prying eyes, the password is NOT written to the job's joblog.

  • EXPIRED -- Sets the password to an expired state if the default *YES is selected. *NO is also valid, in which case the password is not set to expired.
  • STATUS -- If the default *ENABLED is selected, the profile is enabled for use. If *DISABLED is specified, the profile is disabled.

Read More and Get The RESETUSER Command Source Code


Security Training from SecureMyi.com

In This Issue


Featured Article - RESETUSER Command

Featured Video - HyJacking User Profile

Security Shorts - Caveats using Adopted Authority

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives




Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


IBM i Security Resources

IBM Security Incident Response BLOG

IBM i Security Videos - from SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i - SecureMyi

IBM i Security Reference - 6.1

IBM i Security Reference - 7.1

IBM i Security Reference - 7.2

IBM i Security Reference - 7.3

QAUDJRN Journal Entry Types 7.3

QAUDJRN Entry Layout 7.2

QAUDJRN Entry Layout 7.3

QAUDJRN Entries by AUDLVL 7.2

QAUDJRN Entries by AUDLVL 7.3

RedBook - Security Guide for IBM i 6.1


National Vulnerability Database - NIST

PCI Security Standards Council

COBIT - ISACA

HIPAA Resources

EU GDPR Information Portal

CISSP - Certification


Follow SecureMyi on Twitter
Follow SecureMyi on LinkedIn=
Follow SecureMyi on YouTube


Training from The 400 School



Training from The 400 School

Featured YouTube Educational Video

IBM i Security

Are your User Profiles Vulnerable to Profile Hijacking?

Featured Video - HiJack User Profile
Security news and Events


Live Security Related Webcasts and Training for IBM i

November Events

Live Hands-On - IBM i, iSeries System Administration and Control Workshop
with Dan Riehl

Training Workshop - November 5-9 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i, iSeries Concepts and Facilities
with Control Language Programming Workshop
with Dan Riehl

Training Workshop - November 26 - 30 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

December Events

Live Hands-On - Introduction to ILE RPG IV Programming Workshop
with Dan Riehl

Training Workshop - December 3-7 - Presented by The 400 School, Inc.
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i, iSeries System Operations Workshop
with Dan Riehl

Training Workshop - December 10-12 - Presented by The 400 School, Inc.
Dan Riehl presents this 3-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop
with Dan Riehl

Training Workshop - December 13-14 - Presented by The 400 School, Inc.
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i, iSeries System Administration and Control Workshop
with Dan Riehl

Training Workshop - December 17-21 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

January 2019 Events

Live Hands-On - IBM i (iSeries, AS/400) Security Audit
        and Vulnerability Assessment Workshop
with Dan Riehl

Training Workshop - January 7 - 10 - Presented by The 400 School, Inc.
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - Query/400 Workshop for Technical Staff and End Users
with Dan Riehl

Training Workshop - January 11 - Presented by The 400 School, Inc.
Dan Riehl presents this 1-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - COBOL/400 Programming Workshops forming Now
for January and February, 2019
with Dan Riehl

Training Workshop - Dates To Be Determined - Presented by The 400 School, Inc.
Dan Riehl presents these 5-Day Live Online Hands-on Workshops.
More Information and Register to Attend





Training from The 400 School


Training from The 400 School


Training from The 400 School
Security Assessment from SecureMyi.com

Security Shorts

A Caveat When Using Adopted Authority

By Dan Riehl - SecureMyi.com

We often use "Adopted Authority" to allow a user to perform operations that they have no inherent authority to perform. For example, as shown in the Feature Article in this issue, many of us use adopted authority to allow help desk users to reset a password or reset a user status.

You can also use adopted authority to allow the help desk to create user profiles or change other attributes of existing user profiles. But there is one major caveat when creating or changing user profiles under adopted authority; adopted authority cannot be used to assign a user to a group profile.

As an example, a help desk user runs a program to create a user profile. The program adopts the authority of Security Officer (QSECOFR), temporarily making the user "all powerful."

But in order to assign a user to a group profile (or supplemental group profile), the help desk user must have his or her own authority to the group profile being assigned to the user. Adopted authority cannot be used to assign the group.

The IBM documentation states that the user creating or changing the profile must have *CHANGE and *OBJMGT rights to the group profile in order to assign a user to the group and that the authority cannot come from the use of adopted authority.

This bothered me, as I did not want to give the help desk users that much authority to groups that they may need to assign. With *CHANGE authority, the help desk users would be able to run jobs as the group or otherwise hijack the group. (For more information on this exposure, see this issue's Educational Video on Hijacking a User Profile.)

In my testing, I was able to confirm that I could remove the *EXECUTE right for the help desk user to the groups they need to assign, thereby preventing the misuse of the group profiles.

So, yes, you assign the help desk users *CHANGE and *OBJMGT rights to the group profile they need to assign and then remove their *EXECUTE rights, in order to protect the group from being misused.

It is interesting that the help desk users can change the other attributes of a user profile while running under QSECOFR adopted authority, but they cannot assign a new group to which they are not authorized.

See the IBM support document on this topic.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi


IT Security and Compliance Group

  • In Depth Security Assessment of IBM i
  • Upgrade to QSECURITY level 40
  • Forensic Research and Analysis
  • Audit Assistance and Remediation
  • Security Training for IT and Audit Staff
  • Software Selection & Configuration
  • Security and Systems Programming
  • General Security and System Assistance


LIVE Training from The 400 School, Inc


Customized IBM i (iSeries, AS/400) Training -
    Presented Live at your offices


LIVE Online Hands-On Workshops

  • ILE RPG IV Programming
  • RPG/400 and RPG III Programming
  • ILE COBOL/400 Programming
  • Interactive Programming Workshops
  • System Operations Workshops
  • System Administration and Control
  • Security and Auditing Workshops
  • Control Language Programming
  • IBM i Concepts and Facilities
  • Query Workshop

Security Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014-2018 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017