Feature Article

The RESETUSER Command

Use Adopted Authority For Resetting Passwords

. . . . But Use Safeguards ( Source Code Provided )

By Dan Riehl - SecureMyi.com

Sometimes IBM i Special Authorities are required by users that are not system administrators or security officers. For example, when users forget their passwords or disable their profiles through excessive failed attempts to log in, the helpdesk personnel or operations staff need the ability to reset the password and re-enable the user profile. The Special Authority required to perform these functions is called Security Administrator (*SECADM) Special Authority. In practice, All Object (*ALLOBJ) Special Authority is also needed to be able to perform these sensitive password resets. *ALLOBJ Special Authority is needed to ensure that the Help Desk or Operations Staff have enough authority to the User Profiles that they need to reset. Normally, User Profiles are created with a *PUBLIC authority of *Exclude, allowing changes only by very powerful system administrators which have *ALLOBJ and *SECADM special authority.

The simple solution is to just give all these Help Desk and Operations users *SECADM and *ALLOBJ special authority, however, *SECADM and *ALLOBJ special authority also lets users create and change other attributes of user profiles, and *ALLOBJ provides unrestricted access to all files, libraries, programs, etc. You do not want to give these users carte blanche to create and change user profiles at will, and you really do NOT want to give them full access to all *SECADM and *ALLOBJ special authority full time. You want to give them only the ability to reset passwords and status for selected user profiles. After all, you don't want to give the Help Desk and Operations staff the ability to reset the passwords for QSECOFR and other powerful profiles. You also do not want them to have the *ALLOBJ authority, to be able to change payroll amounts or view/change other sensitive data. This article discusses a very good method to allow a user to 'borrow' the *SECADM and *ALLOBJ authority required to reset a user profile, but then return that borrowed authority as soon as that distinct task is completed. This method prevents the use of the borrowed authority to do tasks that are beyond the user's scope or responsibility.

Borrowing Special Authority

One of the best methods to provide temporary use of the *SECADM and *ALLOBJ special authority is to use the IBM i facility called Program Adoption of Authority(PAA). Adoption of authority provides for temporary use of an elevated level of authority to perform functions that the user is not normally authorized to do. Here we deal with adopting the *SECADM and *ALLOBJ special authority to allow a user to reset a user profile status and password.

The Big Picture

The adopted authority technique can be used to adopt any special authority, with an ultimate view of removing, as much as possible, the assignment of any User Special Authorities.

The RESETUSER Command

The purpose of the RESETUSER command is to give a help desk or operations user the temporary authority to reset the password and/or status of a user profile.

The command consists of two parts, the command definition and the CL program. In order to secure the command and program, and to configure the program adoption of authority correctly, there are instructions for creating the command and the program. These step by step instructions are found at the end of the article.

SafeGuards in RESETUSER

We need to ensure that this command is not improperly used to reset the IBM-supplied user profiles like QSECOFR and QSYSOPR. You also want to ensure that the command cannot be used to reset the passwords for users who have powerful special authorities, such as *ALLOBJ, *SERVICE, *SAVSYS, *AUDIT, *IOSYSCFG and *SECADM. If these could be reset, it would provide a way for the user of the command to set a password for the powerful profiles, sign on as that profile, and perform unauthorized activities.

Note: You may also want to prohibit the user of the command to reset the password for certain power users, like the Accounting Manager, or Programming Manager. To do this, simply insert your own rules into the CL program code at the appropriate spot.

Examining the Code

The RESETUSER command definition accepts four parameters:

• USER -- The user profile name to be reset
• PASSWORD -- The new user password. The default is *USRPRF, which sets the password to the profile name. If the value *SAME is specified, no change to the user's password is performed. If a value other than *USRPRF and *SAME is specified, it will be set as the password for the user.

  Notice that the PASSWORD parameter specifies DSPINPUT(*PROMPT). This causes any password typed into the PASSWORD prompt to be displayed to the user of the command, but to keep it secret from prying eyes, the password is NOT written to the job's joblog.

• EXPIRED -- Sets the password to an expired state if the default *YES is selected. *NO is also valid, in which case the password is not set to expired.
• STATUS -- If the default *ENABLED is selected, the profile is enabled for use. If *DISABLED is specified, the profile is disabled.

Read More and Get The RESETUSER Command Source Code