|
Question How do I consolidate users with equal authorities to a group ? Answer Step 1 Creation of group record Create
a user record within PCSACC/400 e.g. SALES
with description group for
All other fields are suppressed as they are not of importance for a user group record.
A user profile SALES must not exist. Multiple functions of a user record as data record and as group record is hot supported up to release V4R1 of PCSACC/400. At installation time, these records are automatically splitted to *USER and *GROUP records. In general, we differentiate between user- and data authorities. User authorities specify whether an application e.g. SQL/ODBC is allowed, prohibited or whether access is being controlled. Data authorities are access informations for libraries, files, data queues, file members, IFS directories, CL commands/CALL's, IP addresses and mail addresses. Data authorities may be specified for a group, a user or *PUBLIC. *PUBLIC accesses are being stored at user record QDEFAULT. The following combinations are possible: 1
- 5 Groups and *PUBLIC If the user has individual data authorities, he has to be entered as group. In this case, only 4 more groups may be used. Please, for performance reasons, do not use much more than one user group. Step 2 Detect identical users Multiple employees of a department may have the same access profile. These data can be transferred to a group. Each user however may additionally have own authorities.
Option 6 can be used to print a compacted list of a user's stored data records.
The compacted list should be printed in order to get an overview about the rights of the different users. It helps to decide whether all authorities shall be transferred to a group or whether individual authorities shall remain at the user. Step 3 Transfer of authorities from user to group Data authorities are being transferred via the copy function. New within PCSACC/400 V4R1 is the addition of data authorities to existing data records, similar to the functionality for conversion of log data into access authorities. The copy function within a subfile allows to concurrently transfer multiple records. A new function allows to copy all user data to a group concurrently for multiple users. Transfer of all authorities to a group 1. Libraries
Select all users by using option 3 + F10 that shall become members of a certain group and whose data authorities shall be transferred to the group.
Select 2 = Add user-/data to a group and enter the name of the group into the following field. Via F13, a group may be selected. By using the customer template *TEMPL, the control fields of the users may also be adjusted.
If a user has been selected by mistake, he can now be skipped via option B = Bypass. If not all
data of a data type shall be transferred, the display may be extended
via F4. The fields not to be copied
have to be deleted to *BLANK. If not all data authorities are being transferred, the user will also be entered as group if the corresponding system value is activated. Via F2, the data will now be transferred to the group and the user concurrently will become member of the group. This new functionality provides a very easy method to consolidate multiple users to groups. The user has become a group member In the user record, the group is being entered manually. If the user also has individual data authorities, he will - with active system value-automatically be entered as 2nd group.
Via
F4, the group may also be selected;
only groups not yet used will be displayed.
On this display, the sequence may supplementary be changed.
After
updating the record, it is possible to control on the user overview, whether In column G, the figure = number of groups is being presented in green if no individual data authorities exist. Elsewise in white. In the text option = 3, all groups can be viewed. The fields for the group are being activated in the user record, as well as field Additionally check individual authorities if data authorities exist for the user.
After
updating the record, the user overview shows whether the entry has been
correct. 2. Change with group model
A customer template *TEMPL with record type 7 = SALES is being created.
No OS/400 user profile is allowed to exist for this record.
Option A has to be specified for the user and instead of QDEFACT, the group model SALES# has to be specified in the options = activation with individual model. In contrary to normal activation with model QDEFACT, the group fields will also be transferred. This method is recommended if multiple users shall be changed to group members, that are still having entry QNEW and TV. If the user has individual data authorities, he will - with active system values-automatically also be entered as group. Individual data authorities can be transferred to the group via the copy function in the respective maintenance programs. |
back to top
