Admin Alert: Decommissioning Group Profiles

July 14, 2004 Joe Hertvik

Group profiles are a great feature in any operating system, especially OS/400. By creating a group profile, you can authorize one user profile to a number of programs or files and then have other users “inherit” those authorizations by assigning them as members of that group profile. Group profiles centralize security by limiting access to the lowest possible number of users (one), while retaining the flexibility to have any number of users access those security settings.

But there are times when a group profile can outlive its usefulness, such as when you want to retain a group profile’s capabilities as a normal user while moving all of its members to another group that has different authorities. Or you may have made a mistake and turned a normal individual user profile into a group profile and need to decommission it back to its individual profile status. To that end, here’s my three-point checklist for turning a group profile back into a normal user profile.

(Note: Although group profiles are a powerful OS/400 authorization tool, their use can sometimes result in the violation of good OS/400 security techniques. If you’re unfamiliar with group profiles or OS/400 security, consult an expert in the field such as IBM Redbooks or Wayne O. Evans’ Download Security Articles Web site.)

Step 1: End any job that is running under the group profile you want to decommission.

Transforming a group profile into an individual user profile involves changing the group ID number (GID) of the target group profile. By default, OS/400 will not let you change the GID if the group profile user ID is already active in a process. Therefore, you have to end all jobs that are using your target group user profile as the user profile under which the job is run. While it’s a generally accepted OS/400 security standard that group profiles should have a password of *NONE (which specifies that users cannot sign on to your system with this profile), some shops may violate this standard and use a group profile to run jobs under. You can check to see if any jobs are running under your target group profile by running the following Work with Object Locks (WRKOBJLCK) command:

WRKOBJLCK OBJ(user profile name) OBJTYPE(*USRPRF)

WRKOBJLCK will show you any job (including server jobs, batch jobs, interactive jobs, and connectivity jobs) that is running under this particular group profile. All of these jobs must be ended before OS/400 will let you change the target group profile’s GID.

Step 2: Remove any user profiles that are listed as members for the group profile you are decommissioning.

You will also not be able to change the GID if there are any user profiles listed as group members for this group profile. To get a list of all the users listed under a particular group profile, you can run the Display User Profile (DSPUSRPRF) command:

DSPUSRPRF USRPRF(group profile name) TYPE(*GRPMBR)

DSPUSRPRF displays all user profiles that are listed as members of your group profile user ID. You can then use the Change User Profile (CHGUSRPRF) command to remove the group profile name from the Group Profile (GRPPRF) or Supplemental Groups (SUPGRPPRF) fields of each member user profile.

You can also use AS/400 Navigator or iSeries Navigator to remove group members by opening the following nodes for your OS/400 server: open “Users and Groups” and then “Groups.” This view displays all group profiles inside your server, and you can add or remove group members for a particular group by right-clicking the group you want to modify and selecting “Properties” from the pop-up menu that appears. This tells OpsNav to display that group’s properties panel, where you can remove group members.

Step 3: Remove the group ID number from the group profile user ID.

A group profile is assigned a GID number automatically whenever another user profile is enrolled as a group profile member for that profile. The GID field can also be modified manually. I have found that group profile GID changes must be done by using the OS/400 Change User Profile (CHGUSRPRF) command, rather than by using the OpsNav GUI. This is because you need to change the GID value of the group profile to a value of *NONE, and OpsNav requires you to enter a GID number of between 1 and 4, 294,967, and 294. OpsNav V5R2M0 and lower versions do not allow you to enter *NONE or a null value into the GID field of a group profile.

To change the GID value, edit your target group profile and change the GID value to *NONE, or you can run the following Change User Profile command:

CHGUSRPRF USRPRF(group profile name) GID(*NONE)

If the profile was originally set up with a password of *NONE, be sure to further modify this user ID so that it now contains a password.

At this point, your user profile has been decommissioned as a group profile and can no longer be used in that manner. It will now be available for individual use as you see fit.