User profiles (type *USRPRF) are important objects because they identify users to the system. The name of a user profile object is the name the user needs to type at the sign-on display under "user profile."
User profiles are also the vehicle the system uses to set up an interactive environment when the user signs on. User profiles contain many attribute settings, such as the name of the user's assigned output queue, the printer used by default, the name of the Attention-key handling program, and the job description.
Never allow two people to share a user profile. Although you cannot be expected to keep people from disclosing each other's passwords or using each other's user profiles, you can take steps to minimize this practice. Specifically, do not give two or more people the same user profile.
All user profiles must reside in QSYS. Therefore, no duplicate user profiles can exist in the system. You should determine a convenient naming system for your user profiles before you install the system, if possible.
Resist the temptation to name the user profiles with the user's first or last name or a nickname. The system will not object if you create a user profile named JOHN, but you are likely to have more than one person named John in your company, and the system accepts no duplicates.
Using last names reduces the risk of duplication, but does not eliminate it. Even if two or more people are not related in any way, they may share the same last name.
In reality, no bulletproof method exists to avoid duplication unless you use some unique identification that cannot be repeated in your company, such as employee numbers or Social Security numbers. However, people other than employees may need access to your computer (such as a consultant or someone who rents computer time from you), so the employee number idea will not work. Social Security numbers are unique, but people might resent being identified by numbers. Users are people, and people want names.
The following naming system can be used with satisfactory results: combine the last name and the first name into the user profile. Pick the first three letters of each name and put them together. For example, if a user's name is Dorian Gray, the user profile would be GRADOR. Florence Nightingale's user profile would be NIGFLO. If you decide to use this naming system, be aware that, once in a while, you may create a user profile name that is not acceptable when spoken. Always say the new name aloud before you cast it in stone.
User profiles can be created, changed, deleted, and displayed. The i5/OS provides several commands for the security administrator's use.
CRTUSRPRF creates a new user profile. CHGUSRPRF changes an existing profile. DLTUSRPRF deletes an existing user. DSPUSRPRF shows a user profile's information on the screen or on paper, and Work with User Profiles (WRKUSRPRF), presents a list of user profiles on the screen, sorted by name. You can easily run any of the other commands from this panel as well.
The CRTUSRPRF and CHGUSRPRF commands have many parameters. This book will not attempt to describe them. Instead, you should review the information presented in either the Security Concepts and Planning Guide or the CL Reference Guide.
Some of the more important parameters of the CRTUSRPRF command are described to give you an idea of how the parameters are used.
The USRPRF parameter gives the user profile its name. PASSWORD assigns the sign-on password. When you create a new user profile, you should assign the new user a standard password such as TEMP, or make the password equal to the user profile name. However, you should specify PWDEXP(*YES), which tells the system that the user's password is expired. PWDEXP(*YES) forces the new user to change the password right after signing on for the first time.
Two parameters, USRCLS (user class) and SPCAUT (special authority) are interrelated. Actually, SPCAUT is the parameter that really counts when the new user is given authority to perform system-type activities, such as saving and restoring, or controlling jobs or printers.
For example, SPCAUT(*JOBCTL) informs the system that the new user is allowed to display and change information pertaining to other users' jobs. The user can cancel jobs unconditionally. If you specify SPCAUT(*USRCLS), however, the system looks at the USRCLS parameter to determine how much special authority it needs to give the user. This is the only time the USRCLS parameter is referenced. If you specify any value other than *USRCLS in the SPCAUT parameter, the USRCLS parameter does nothing.
For example, suppose you create a user profile with USRCLS(*SECOFR) SPCAUT(*NONE). Although the user has been classified as a security officer, he has no special authority at all because the SPCAUT parameter takes precedence over USRCLS.
INLPGM (initial program) determines what program to run when the user signs on. CURLIB (current library) indicates the library in which objects will be created, unless the system is told otherwise. INLMNU (initial menu) determines what menu to show when the user signs on, after the INLPGM finishes. If you specify INLMNU(*SIGNOFF), the user is signed off automatically when the INLPGM ends.
LMTCPB (limited capabilities) tells the system that the user must be restricted in certain ways. LMTCPB(*YES) will not let the user override the INLPGM, CURLIB, or INLMNU by typing different values at the sign-on display. The user also can't run most commands from the command line, except such innocuous commands like DSPMSG, DSPJOB, DSPJOBLOG, SNDMSG, and SIGNOFF.
MSGQ (message queue) names the message queue that will accumulate the messages sent to the user. It is a good idea to leave the default value, so that the message queue is named after the user profile itself. Using the default simplifies your job considerably.
OUTQ (output queue) and PRTDEV (printer device) control where the system sends reports requested by the user. The OUTQ parameter is more important. Unless OUTQ(*DEV) is specified, the PRTDEV parameter does nothing.
ATNPGM (Attention-key handling program) names the program to execute when the user presses the Attention key.
Finally, the TEXT parameter is optional, but you should get into the habit of using it as if it were mandatory. Enter the user's full name and department in the text parameter to document your users.