Securely Resetting Disabled User Profiles
August 18, 2004 Hey, Wayne O.
We have set system values QMAXSGNACN and QMAXSIGN to disable user profiles after three invalid sign-on attempts. Therefore, a common daily function that we do is to enable users that have typed their password incorrectly three times. As a result I have provided several people in the IT department with *SECADM authority. However, this allows them to change most, if not all, parameters in the user profiles that they have access to.
Is there a way to remove the *SECADM authority but still allow them to be able to change only the “status” parameter in the user profile from *DISABLED to *ENABLED?
–Steve
Thanks for your question, Steve. There is definitely a better way to handle this situation than giving *SECADM authority to users. You mentioned that granting *SECADM authority to users allows them to change other profile parameters. But the risk is even greater, because with *SECADM access the users can also enroll new user profiles in the system.
You do not need to give users *SECADM special authority. A program can adopt the necessary access to reset user passwords. An advantage of the reset password program is that it will limit what profiles can be changed and restrict changes to the password and user profile status.
I am including the code for a CL command (RESETPWD) and CL program (RESETPWD1). Together these objects can be used to enable user profiles and change the user password. The CL program adopts its owner’s authority so that users do not need *SECADM special authority. The program changes the user profile to enabled status and changes the user’s password. I limit access to the program and command with an authorization list RESETPWD.
The figure below illustrates the relationships among the different components.
USER1 and USER2 (other than users with *ALLOBJ) authority are the only users authorized to run this function.
(There is a side benefit of using adopted authority that you did not mention in your note. The users, USER1 and USER2, do not need to be authorized to the profile of other users. If the program RESETPWD1 is owned by a user with *SECADM and *ALLOBJ authority, that user can reset a user profile without being authorized to the user profile. I recommend that you check the authority to user profiles and make sure the *PUBLIC access is *EXCLUDE and that no other users have access to the user profiles.)
The steps to create the objects are as follows:
- Sign-on as a user with *ALLOBJ and *SECADM special authority.
- Create the authorization list used to secure the CL command and program. Users added to this list are allowed to use the function.
- Create the CL program RESETPWD1 (the source for which is provided below). On the create command, specify USRPRF(*OWNER) so the program will run the authority of the program owner.
- Create the command RESETPWD (the source is provided below) and secure the command with the authorization list RESECPWD.
- Add users to the authorization list.
CRTAUTL AUTL(RESETPWD) AUT(*EXCLUDE) TEXT('Users allowed to Reset Passwords')
CRTCLPGM PGM(QGPL/RESETPWD1) AUT(RESETPWD) USRPRF(*OWNER) SRCF(source file) SCRMBR(source member) TEXT('Reset Passwords and Enable users')
CRTCMD CMD(QGPL/RESETPWD) AUT(RESETPWD) PGM(QGPL/RESETPWD1) SRCF(source file) SRCMBR(source member) TEXT('Users allowed to Reset Passwords')
ADDAUTLE AUTL(RESET) USRPRF(USER1 USER2) AUT(*USE)
TECHNICAL DETAILS
The program RESETPRWD1 uses APIs to retrieve the user profile special authority. The program prevents the reset of powerful profiles in order to prevent resetting the password of a security officer.
This simple program illustrates the many ease-of-use and security features of OS/400. Sometimes we simply use the very powerful features without considering how powerful and flexible OS/400 is.
PROGRAM ADOPTION OF AUTHORITY
The adoption of owner’s authority allows users of the program to temporary inherit the access of the user. This is a powerful feature because you can limit user actions by the program design and is more secure that giving the user the need access to reset user passwords.
AUTHORIZATION LISTS
The use of an authorization list allows users to be granted access to multiple objects (RESECPWD and RESETPWD1) in one operation. Authorization lists are the best way to associate individual access with objects.
COMPILE CL AS PROGRAM
Few operating systems allow the command language (OS/400 CL) to be compiled into a program. Because CL can be compiled, the features such as adoption of authority can be used. Since programs are objects, the system administrator can authorize users to the program.
USE DEFINED COMMANDS
The CL of OS/400 is extended by allowing user commands. The user commands are just like OS/400 commands. The creation of CL commands provides an ease-of-use feature for users including the powerful command prompter.
The following is the code for RESETPWD1, the CL program to reset the user password:
/***************************************************************/ /* Create as user with *ALLOBJ and *SECADM */ /* CRTCLPGM PGM(lib/RESETPWD) USRPRF(*OWNER) AUT(*EXCLUDE) */ /* RESETPWD1 -- Allows the help desk reset password but do */ /* not allow reset of users with powerful access */ /***************************************************************/ RESETPWD: PGM (&USERID) DCL &USERID *CHAR 10 DCL &RTNDTA *CHAR 83 /*********************************************/ /* API work area USRI0200 data returned */ /* Type Field */ /* 1 BINARY(4) Bytes returned */ /* 5 BINARY(4) Bytes available */ /* 9 CHAR(10) User profile name */ /* 19 CHAR(10) User class name */ /* 29 CHAR(15) Special authority */ /* 29 CHAR(1 ) ALLOBJ */ /* 30 CHAR(1 ) SECADM */ /* 31 CHAR(1 ) JOBCTL */ /* 32 CHAR(1 ) SPLCTL */ /* 33 CHAR(1 ) SAVSYS */ /* 34 CHAR(1 ) SERVICE */ /* 35 CHAR(1 ) AUDIT */ /* 36 CHAR(1 ) IOSYSCFG */ /*********************************************/ DCL &OUTVARD *DEC (5 0) VALUE(83) DCL &OUTLEN *CHAR 4 DCL &FMT *CHAR 8 VALUE(USRI0200) DCL &ERRCDE *CHAR 80 DCL &ERRLEND *DEC (5 0) VALUE(80) /******************************************************/ /* Retrieve the special authority of the user profile */ /* Do not allow reset if user has special authority */ /* *ALLOBJ *SECADM *SPLCTL or *SERVICE */ /******************************************************/ CHGVAR VAR(%BIN(&OUTLEN)) VALUE(&OUTVARD) CHGVAR VAR(%BIN(&ERRCDE 1 4)) VALUE(&ERRLEND) CALL QSYRUSRI + (&RTNDTA &OUTLEN &FMT &USERID &ERRCDE) IF ( (%SST(&RTNDTA 29 1 )='Y') *OR /*check *ALLOBJ*/ + (%SST(&RTNDTA 30 1 )='Y') *OR /*check *SECADM*/ + (%SST(&RTNDTA 32 1 )='Y') *OR /*check *SPLCTL*/ + (%SST(&RTNDTA 34 1 )='Y') ) DO /*check *SERVICE */ SNDPGMMSG MSGID(CPF9898) MSGF(QCPFMSG) MSGDTA('The + security officer must reset the password + for this user.') MSGTYPE(*ESCAPE) ENDDO CHGUSRPRF USRPRF(&USERID) PASSWORD(CAKE4LUNCH) + STATUS(*ENABLED) PWDEXP(*YES) ENDPGM
The following is the code for RESETPWD, the CL command to reset the user password:
/********************************************************************/ /* PURPOSE: RESETPWD -- Reset Password for users */ /* */ /* CRTCMD CMD(lib/RESETPWD) PGM(lib/RESETPWD1) + */ /* AUT(RESETPWED) */ /* */ /* The constant in this command definition are used to */ /* pass the user profile handle used to swap profiles */ /* */ /* USEPRF User Profile to reset Password */ /* */ /* PROGRAMMER */ /* Wayne O. Evans Wayne O. Evans Consulting, Inc */ /* Phone (520) 578-7785 Tucson AZ */ /* Fax (520) 578-7786 Internet:WOEvans@AOL.com */ /********************************************************************/ CMD PROMPT('Reset User Profile Password') PARM KWD(USRPRF) TYPE(*NAME) LEN(10)
Security articles authored by Wayne O. Evans can be found on his Web site, www.woevans.com. E-mail: woevans@itjungle.com