Restoring Passwords & Private Authorities When Using RSTUSRPRF

Restoring Passwords & Private Authorities When Using RSTUSRPRF

Thanks for your nice article on copying user profiles between IBM i systems. I wanted to add that I copied a profile between systems and got this system message.

CPC3713 - &2 &1 restored without password or group linkage

I fixed it by adding the Security Data parameter to the Restore User Profile (RSTUSRPRF) command. I’m running IBM i 6.1.

–Avraham

Here’s what happened with Avraham’s system and how it affects user profile restores.

When moving user profiles between systems, IBM has two scenarios for restoring passwords and private authorities for user profiles.

1. If you are using RSTUSRPRF to restore all user profiles (*ALL) from one system to another, you can run the command this way to restore each user profile’s corresponding password and private authorities along with their profiles.

RSTUSRPRF DEV(*SAVF) USRPRF(*ALL) 
SAVF(save file library name/save file name) SECDTA(*USRPRF)

The Security Data (SECDTA) parameter and the User Profile (USRPRF) parameter work together to restore user profile passwords and private authorities to user profiles. By default, SECDTA is set to *USRPRF.

When USRPRF = *ALL and SECDTA = *USRPRF, the system will restore passwords and all private authorities to every user profile during the restore process.

This is why administrators use this command to restore user profiles when migrating an entire system from one IBM i partition or Power machine to another. It restores every user profile along with their related passwords and authorities.

Because this command restores private authorities, the Restore User Profile command for *ALL users is normally run after you restore the IBM i operating system to a target partition but before you restore the system user libraries. This means you still have to run the Restore Authority (RSTAUT) command to restore object authorities for your user profiles, after your user libraries are restored.

2. If you are using RSTUSRPRF to restore individual or wildcard user profiles and you don’t change the SECDTA parameter, you are running this command by default.

RSTUSRPRF DEV(*SAVF) USRPRF(user profile name)
SAVF(save file library name/save file name) SECDTA(*USRPRF)

When restoring individual user profiles or groups of user profiles this way, the operating system does not restore the passwords and private authorities for individual user profiles. That’s why Avraham received the CPC3713 error shown above.

To restore an individual user profile or group of user profiles to a target system with the same passwords and private authorities they had on the source system, perform the following command.

RSTUSRPRF  DEV(*SAVF) USRPRF(user profile name) 
SAVF(save file library name/save file name)  SECDTA(*PWDGRP)

Running RSTUSRPRF this way will restore your user profile to the target system, along with the following attributes.

• Each user profile listed in the command will be restored.
• The password for each restored profile will also be restored.
• Group membership will be restored for the user, for any groups that are present on the system.
• Private authorities for the user profile will also be restored but you will need to run a Restore Authority (RSTAUT) command to apply restored user authorities to target system objects.

Now here’s the tricky part. Along with Avraham’s feedback that you can use RSTUSRPRF this way for restoring individual user profiles and their password, I tested this command and duplicated Avraham’s results. I used a Save Security Data (SAVSECDTA) command to save my user profiles on my development system using IBM i 6.1. I then deleted one of my user profiles and restored it using the RSTUSRPRF command listed in point #2. As Avraham wrote, the user profile and the password were both restored to my target system.

But in its documentation for the green-screen RSTUSRPRF command, IBM states the following about special situations involving restoring individual profiles using RSTUSRPRF.

“If the user profile is restored on the media and is being restored individually, the new user profile is created without its password or group connection.”

The result is that while Avraham and myself were both able to test restoring an individual user profile complete with its password under i 6.1, IBM has specifically mentioned that this technique may not work for restored user profiles. So while we’ve tested this technique for restoring passwords along with their user profiles, be aware that there may be situations where using SECDTA=*PWDGRP may not work for restoring individual profiles and their passwords.

–Joe

Joe Hertvik is an IBM i subject matter expert (SME) and the owner of Hertvik Business Services, a content strategy organization servicing the computer industry. Email Joe for a free quote for any upcoming projects. He also runs a data center for two companies outside Chicago, featuring multiple IBM i ERP systems. Joe is a contributing editor for IT Jungle and has written the Admin Alert column for IT Jungle since 2002. . Check out his blog where he features practical information for tech users at joehertvik.com.

RELATED STORY

Admin Alert: Copying User Profiles Between Systems

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot