CRTUSRPRF – Create User Profile

The Create User Profile (CRTUSRPRF) command identifies a user to the system and allows you to customize the way the system appears. When the profile is created, the profile is given *CHANGE and *OBJMGT authorities for the profile itself. The system relies on the profile having these authorities to itself and they should not be removed.

Advertisements

Restrictions: The user of this command must have:

  • Security administrator (*SECADM) special authority
  • Use (*USE) authority to the initial program, initial menu, job description, message queue, output queue, and attention-key-handling program (if specified)
  • Change (*CHANGE) and object management (*OBJMGT) authorities to the group profile and supplemental group profiles (if specified).
CREATE USER PROFILE
CREATE USER PROFILE – (CRTUSRPRF)

User profile (USRPRF)

Specifies the name of the user profile to be created. A numeric user profile can be specified. If the user profile begins with a numeric, it must be prefixed with a Q. This is a required parameter.

User password (PASSWORD)

Specifies the password that allows the user to sign on the system. The password is associated with a user profile and is used by the system to represent the user in the system. The passwords should be known only to the individual user. A numeric password can be specified.

Advertisements

When the system is operating at password level 0 or 1 and the password begins with a numeric, then the password must be prefixed with a Q, for example, Q1234 where 1234 is the password used for signing on the system, or Q1ABC where 1ABC is the password used for signing on the system.

Note: The password level is controlled by the Password Level (QPWDLVL) system value.

Set password to expired (PWDEXP)

Specifies whether the password for this user is set to expired. If the password is set to expired, the user is required to change the password to sign on the system. When the user attempts to sign on the system, the sign-on information display is shown and the user has the option to change this password.

Status (STATUS)

Specifies the status of the user profile. The system will disable a user profile when:

  • The user profile reaches the maximum number of password verifications. The maximum number of password verifications is reached when the number of failed password verification attempts reaches the limit specified on the QMAXSIGN system value and option 2 or 3 has been specified on the QMAXSGNACN system value.
  • The user profile expiration date is reached. Use the Display User Profile (DSPUSRPRF) command to display the user expiration date.
  • The STATUS parameter is set to *DISABLED on the Create User Profile (CRTUSRPRF) or Change User Profile (CHGUSRPRF) command.

User class (USRCLS)

Specifies the type of user associated with this user profile: security officer, security administrator, programmer, system operator, or user. The user class controls the options that are shown on a menu. Special authorities are given only if *USRCLS is specified for the Special authority (SPCAUT) parameter. If SPCAUT(*USRCLS) is specified, the special authorities granted will differ depending on the QSECURITY value.

Assistance level (ASTLVL)

Specifies which user interface to use.

*SYSVAL – The assistance level defined in the system value QASTLVL is used.

*BASIC – The Operational Assistant user interface is used.

*INTERMED – The system interface is used.

*ADVANCED – The expert system interface is used. To allow for more list entries, option keys and function keys are not displayed. If a command does not have an advanced (*ADVANCED) level, the intermediate (*INTERMED) level is used.

Current library (CURLIB)

Specifies the name of the current library associated with the job being run.

Specifies the name of the library to be used as the current library for this user. If *PARTIAL or *YES is specified for the Limit capabilities (LMTCPB) parameter of the Create User Profile (CRTUSRPRF) or Change User Profile (CHGUSRPRF) command, the user cannot change the current library at sign-on or with the Change Profile (CHGPRF) command.

Change Current Library(Opens in a new browser tab)

Initial program to call (INLPGM)

Specifies, for an interactive job, the program called whenever a new routing step is started that has QCMD as the request processing program. If *PARTIAL or *YES is specified for the Limit capabilities (LMTCPB) parameter, the program value cannot be changed at sign on or by using the Change Profile (CHGPRF) command. No parameters can be passed to the program.

Advertisements

A System/36 environment procedure name can be specified as the initial program if the procedure is a member of the file QS36PRC (in the library list or specified library) and if either of the following conditions are true:

  • *S36 is specified on the SPCENV parameter.
  • *SYSVAL is specified on the SPCENV parameter and the system value, QSPCENV, is *S36.

Initial menu (INLMNU)

Specifies the initial menu displayed when the user signs on the system if the user’s routing program is the command processor QCMD. If *YES is specified for the Limit capabilities (LMTCPB) parameter, the user cannot change the menu either at sign-on or with the Change Profile (CHGPRF) command.

Advertisements

A System/36 environment menu can be specified as the initial menu if either of the following conditions are true:

  • *S36 is specified for the Special environment (SPCENV) parameter.
  • *SYSVAL is specified on the SPCENV parameter and the system value, QSPCENV, is *S36.

Limit capabilities (LMTCPB)

Specifies the limit to which the user can control the program, menu, current library, and the ATTN key handling program values. It also determines whether the user can run commands from a command line. This parameter is ignored when the security level is 10.

Note: When creating or changing other users’ user profiles, you cannot specify values on this parameter that grant greater capabilities to other users than your own user profile grants to you.

Advertisements

For example, if *PARTIAL is specified for the Limit capabilities (LMTCPB) parameter in your user profile, you can specify *PARTIAL or *YES for another user. You cannot specify *NO for another user.

Text ‘description’ (TEXT)

Specifies the text that briefly describes the object.


Additional parameters

To get additional parameters press F10 in CRTURPRF screen

CREATE USER PROFILE ADDITIONAL PARAMETERS
CREATE USER PROFILE ADDITIONAL PARAMETERS

Special authority (SPCAUT)

Specifies the special authorities given to a user. Special authorities are required to perform certain functions on the system. Special authorities cannot be removed from many of the system-supplied user profiles, including QSECOFR and QSYS.

The following special authorities are usually given:

  • Save system (*SAVSYS) special authority to users who need to operate the system.
  • Input/output system configuration (*IOSYSCFG) special authority to users who need to change system I/O configurations.
  • Job control (*JOBCTL) special authority is given to the user. The user is given the authority to change, display, hold, release, cancel, and clear all jobs that are running on the system or that are on a job queue or output queue that has OPRCTL (*YES) specified. The user also has the authority to load the system, to start writers, and to stop active subsystems.
  • Security administrator (*SECADM) special authority to users who need to create, change, or delete user profiles.
  • All object (*ALLOBJ) special authority to users who need to work with system resources.
  • Service (*SERVICE) special authority to users who need to perform service functions.
  • Spool control (*SPLCTL) special authority to users who need to perform all spool-related functions.
  • Audit (*AUDIT) special authority to users who need to perform auditing functions.
Advertisements

Restrictions:

  • The user profile creating or changing another user profile must have all of the special authorities being given. All special authorities are needed to give all special authorities to another user profile.
  • A user must have *ALLOBJ and *SECADM special authorities to give a user *SECADM special authority when using the CHGUSRPRF command.
  • The user must have *ALLOBJ, *SECADM, and *AUDIT special authorities to give a user *AUDIT special authority when using the CHGUSRPRF command.

Special environment (SPCENV)

Specifies the special environment in which the user operates after signing on.

Display sign-on information (DSPSGNINF)

Specifies whether the sign-on information display is shown.

Password expiration interval (PWDEXPITV)

Specifies the password expiration interval (in days).

*SYSVAL – The system value QPWDEXPITV is used to determine the password expiration interval.

*NOMAX – The password does not expire.

1-366 – Specify the number of days between the date when the password is changed and the date when the password expires. Valid values range from 1 through 366.

Block password change (PWDCHGBLK)

Specifies the time period during which a password is blocked from being changed following the prior successful password change operation. This value can be used to prevent users from reusing the same expired password value by simply changing their password numerous times to get back to the expired password value (and defeating the purpose of the QPWDRQDDIF system value). This parameter does not restrict a security administrator from using a command like Change User Profile (CHGUSRPRF) to change the password.

Advertisements

In addition, this parameter will not block the user from changing their profile’s password when the set to expired (PWDEXP) value is *YES. This allows a security administrator to create a user profile with an expired password and still permit the user to sign-on and change the password (once) without being prevented by the block password change value.

Local password management (LCLPWDMGT)

Specifies whether the user profile password should be managed locally.

Limit device sessions (LMTDEVSSN)

Specifies if the number of device sessions allowed for a user is limited. This does not limit SYSREQ and second sign-on.

Keyboard buffering (KBDBUF)

Specifies the keyboard buffering value to be used when a job is initialized for this user profile. If the type-ahead feature is active, you can buffer your keyboard strokes. If the attention key buffering option is active, the attention key is buffered as any other key. If it is not active, the attention key is not buffered and is sent to the system even if the display station is input-inhibited. This value can also be set by a user application.

Maximum allowed storage large (MAXSTGLRG)

Specifies the maximum amount of auxiliary storage (in kilobytes) assigned to store permanent objects owned by this user profile (1 kilobyte equals 1024 bytes) in the system auxiliary storage pool (ASP) and on all the basic ASPs combined. In addition, the value specified for this parameter also controls the maximum amount of auxiliary storage that can be used to store permanent objects owned by this user profile on each Independent ASP (IASP). For example, if the value for this parameter is set to 100, this user is allowed to own objects that have a total size of 100K in the system ASP and all basic ASPs combined. This user is also allowed to own objects that have a total size of 100K on each IASP.

Advertisements

If the maximum is exceeded when an interactive user tries to create an object, an error message is displayed, and the object is not created. If the maximum is exceeded when an object is created in a batch job, an error message is sent to the job log (depending on the logging level of the job), and the object is not created.

Note: You can specify a value for either the Maximum allowed storage (MAXSTG) parameter or the Maximum allowed storage large (MAXSTGLRG) parameter, but not for both.

Storage is allocated in 4K increments. Therefore, if you specify MAXSTG(9) or MAXSTGLRG(9), the profile is allocated 12K of storage.

When planning maximum storage for user profiles, consider the following system actions:

  • A restore operation assigns the storage to the user doing the restore, and then transfers the object to the owner. For a large restore, specify MAXSTGLRG(*NOMAX) or MAXSTG(*NOMAX).
  • The user profile that creates a journal receiver is assigned the required storage as the receiver size grows. If new receivers are created using JRNRCV(*GEN), the storage continues to be assigned to the user profile that owns the active journal receiver. If a very active journal receiver is owned, specify MAXSTGLRG(*NOMAX) or MAXSTG(*NOMAX).
  • User profiles that transfer created objects to their group profile must have adequate storage in the user profiles to contain created objects before the objects are transferred to the group profile.
  • The owner of the library is assigned the storage for the descriptions of objects which are stored in a library, even when the objects are owned by another user profile. Examples of such objects are text and program references.

Maximum allowed storage (MAXSTG)

Specifies the maximum amount of auxiliary storage (in kilobytes) assigned to store permanent objects owned by this user profile (1 kilobyte equals 1024 bytes) in the system auxiliary storage pool (ASP) and on all the basic ASPs combined. In addition, the value specified for this parameter also controls the maximum amount of auxiliary storage that can be used to store permanent objects owned by this user profile on each Independent ASP (IASP). For example, if the value for this parameter is set to 100, this user is allowed to own objects that have a total size of 100K in the system ASP and all basic ASPs combined. This user is also allowed to own objects that have a total size of 100K on each IASP.

Advertisements

If the maximum is exceeded when an interactive user tries to create an object, an error message is displayed, and the object is not created. If the maximum is exceeded when an object is created in a batch job, an error message is sent to the job log (depending on the logging level of the job), and the object is not created.

Note: You can specify a value for either the Maximum allowed storage (MAXSTG) parameter or the Maximum allowed storage large (MAXSTGLRG) parameter, but not for both.

Storage is allocated in 4K increments. Therefore, if you specify MAXSTG(9) or MAXSTGLRG(9), the profile is allocated 12K of storage.

When planning maximum storage for user profiles, consider the following system actions:

  • A restore operation assigns the storage to the user doing the restore, and then transfers the object to the owner. For a large restore, specify MAXSTGLRG(*NOMAX) or MAXSTG(*NOMAX).
  • The user profile that creates a journal receiver is assigned the required storage as the receiver size grows. If new receivers are created using JRNRCV(*GEN), the storage continues to be assigned to the user profile that owns the active journal receiver. If a very active journal receiver is owned, specify MAXSTGLRG(*NOMAX) or MAXSTG(*NOMAX).
  • User profiles that transfer created objects to their group profile must have adequate storage in the user profiles to contain created objects before the objects are transferred to the group profile.
  • The owner of the library is assigned the storage for the descriptions of objects which are stored in a library, even when the objects are owned by another user profile. Examples of such objects are text and program references.

Highest schedule priority (PTYLMT)

Specifies the highest scheduling priority the user is allowed to have for each job submitted to the system. This value controls the job processing priority and output priority for any job running under this user profile; that is, values specified in the JOBPTY and OUTPTY parameters of any job command cannot exceed the PTYLMT value of the user profile under which the job is run. The scheduling priority can have a value ranging from 0 through 9, where 0 is the highest priority and 9 is the lowest priority.

Job description (JOBD)

Specifies the job description used for jobs that start through subsystem work station entries. If the job description does not exist when the user profile is created or changed, a library qualifier must be specified, because the job description name is kept in the user profile.

Group profile (GRPPRF)

Specifies the user’s group profile name whose authority is used if no specific authority is given for the user. The current user of this command must have object management (*OBJMGT) and change (*CHANGE) authority to the profile specified for the Group profile (GRPPRF) parameter. The required *OBJMGT authority cannot be given by a program adopt operation.

Advertisements

Note:

  1. When a group profile is specified, the user is automatically granted *CHANGE and *OBJMGT authority to the group profile.
  1. The following IBM-supplied objects are not valid on this parameter.QANZAGENT, QAUTPROF, QCLUMGT, QCLUSTER, QDBSHR, QDBSHRDO, QDFTOWN, QDIRSRV, QDLFM, QDOC, QDSNX, QEJB, QFNC, QGATE, QIBMHELP, QIPP, QLPAUTO, QLPINSTALL, QLWISVR, QMGTC, QMSF, QNETSPLF, QNFSANON, QNTP, QPEX, QPM400, QRJE, QSNADS, QSPL, QSPLJOB, QSRV, QSRVAGT, QSRVBAS, QSYS, QTCM, QTCP, QTFTP, QTSTRQS, QWEBADMIN, QWSERVICE, QYCMCIMOM, QYPSJSVR

Owner (OWNER)

Specifies the user profile that is to be the owner of objects created by this user.

Group authority (GRPAUT)

The specific authority given to the group profile for newly created objects. If *GRPPRF is specified for the Owner (OWNER) parameter, specification of this parameter is not allowed.

Group authority type (GRPAUTTYP)

Specifies the type of authority to be granted to the group profile for newly-created objects. If *NONE is specified for the Group authority (GRPAUT) parameter, specification of this parameter is ignored.

Supplemental groups (SUPGRPPRF)

Specifies the user’s supplemental group profiles. The profiles specified here, along with the group profile specified for the Group profile (GRPPRF) parameter, are used to determine what authority the user has if no specific user authority is given for the job. If profiles are specified for this parameter, a group profile name must be specified on the GRPPRF parameter for this user profile (either on this command or on a previous Create User Profile (CRTUSRPRF) or Change User Profile (CHGUSRPRF) command. The current user of this command must have object management (*OBJMGT) and change (*CHANGE) authority to the profiles specified for this. The required *OBJMGT authority cannot be given by a program adopt operation.

Advertisements

Notes:

  1. When a group profile is specified, the user is automatically granted *CHANGE and *OBJMGT authority to the group profile.
  1. The following IBM-supplied user profiles are not valid for this parameter:QANZAGENT, QAUTPROF, QCLUMGT, QCLUSTER, QDBSHR, QDBSHRDO, QDFTOWN, QDIRSRV, QDLFM, QDOC, QDSNX, QEJB, QFNC, QGATE, QIBMHELP, QIPP, QLPAUTO, QLPINSTALL, QLWISVR, QMGTC, QMSF, QNETSPLF, QNFSANON, QNTP, QPEX, QPM400, QRJE, QSNADS, QSPL, QSPLJOB, QSRV, QSRVAGT, QSRVBAS, QSYS, QTCM, QTCP, QTFTP, QTSTRQS, QWEBADMIN, QWSERVICE, QYCMCIMOM, QYPSJSVR

Accounting code (ACGCDE)

Specifies the accounting code that is associated with this user profile.

Document password (DOCPWD)

Specifies the document password that allows Document Interchange Architecture (DIA) document distribution services users protect personal distributions from being used by people who work on their behalf.

Message queue (MSGQ)

Specifies the message queue to which messages are sent.

Note: The message queue is created, if it does not already exist. The user profile specified for the User profile (USRPRF) parameter is the owner of the message queue.

Delivery (DLVRY)

Specifies how messages are sent to the message queue for this user are to be delivered.

Severity code filter (SEV)

Specifies the lowest severity code that a message can have and still be delivered to a user in break or notify mode. Messages arriving at the message queue whose severities are lower than the severity code specified for this parameter do not interrupt the job or turn on the audible alarm or the message-waiting light; they are held in the queue until they are requested by using the Display Message (DSPMSG) command. If *BREAK or *NOTIFY is specified for the Delivery (DLVRY) parameter, and is in effect when a message arrives at the queue, the message is delivered if the severity code associated with the message is equal or greater then the value specified here. Otherwise, the message is held in the queue until it is requested.

Print device (PRTDEV)

Specifies the default printer device for this user. If the printer file used to create printed output specifies to spool the data, the spooled file is placed on the device’s output queue, which is named the same as the device.

Advertisements

Note: This assumes the defaults are specified for the Output queue (OUTQ) parameter for the printer file, job description, user profile and workstation.

Output queue (OUTQ)

Specifies the output queue to be used by this user profile. The output queue must already exist when this command is run.

Attention program (ATNPGM)

Specifies the program to be used as the Attention (ATTN) key handling program for this user. The ATTN key handling program is called when the ATTN key is pressed during an interactive job. The program is active only when the user routes to the system-supplied QCMD command processor. The ATTN key handling program is set on before the initial program (if any) is called and it is active for both program and menu. If the program changes the ATNPGM (by using the SETATNPGM command), the new program remains active only for the duration of the program. When control returns and QCMD calls the menu, the original ATTN key handling program becomes active again. If the SETATNPGM command is run from the menus or an application is called from the menus, the new ATTN key handling program that is specified overrides the original ATTN key handling program. If *YES or *PARTIAL is specified for the Limit capabilities (LMTCPB) parameter on the Create User Profile (CRTUSRPRF) or Change User Profile (CHGUSRPRF) command, the ATTN key handling program cannot be changed.

Sort sequence (SRTSEQ)

Specifies the sort sequence table to be used for string comparisons for this profile.

Language ID (LANGID)

Specifies the language identifier to be used for this user.

Country or region ID (CNTRYID)

Specifies the country or region identifier to be used for this user.

Coded character set ID (CCSID)

Specifies the coded character set identifier (CCSID) to be used for this user.

A CCSID is a 16-bit number identifying a specific set of encoding scheme identifiers, character set identifiers, code page identifiers, and additional coding-related information that uniquely identifies the coded graphic representation used.

Advertisements

Note: If the value for CCSID is changed, the change does not affect jobs that are currently running.

Character identifier control (CHRIDCTL)

Specifies the character identifier control (CHRIDCTL) for the job. This attribute controls the type of coded character set identifier (CCSID) conversion that occurs for display files, printer files and panel groups. The *CHRIDCTL special value must be specified for the Character identifier (CHRID) parameter on the create, change, or override commands for display files, printer files, and panel groups before this attribute will be used.

Locale job attributes (SETJOBATR)

Specifies which job attributes are to be taken from the locale specified for the Locale (LOCALE) parameter when the job is initiated.

Locale (LOCALE)

Specifies the path name of the locale that is assigned to the LANG environment variable for this user.

Note: This parameter is Unicode-enabled. See “Unicode support in CL” in the CL topic collection in the Programming category in the IBM i Information Center

User options (USROPT)

Specifies the level of help information detail to be shown and the function of the Page Up and Page Down keys by default. The system shows several displays that are suitable for the inexperienced user. More experienced users must perform an extra action to see detailed information. When values are specified for this parameter, the system presents detailed information without further action by the experienced user.

User ID number (UID)

Specifies the user ID number (uid number) for this user profile. The uid number is used to identify the user when the user is using the directory file system. The uid number for a user cannot be changed if there are one or more active jobs for the user.

Group ID number (GID)

Specify the group ID number (gid number) for this user profile. The gid number is used to identify the group profile when a member of the group is using the directory file system. The gid number for a user may not be changed if:

Advertisements
  • The user profile is the primary group of an object in a directory.
  • There are one or more active jobs for the user.

Home directory (HOMEDIR)

Specifies the path name of the home directory for this user profile. The home directory is the user’s initial working directory. The working directory, associated with a process, is used during path name resolution in the directory file system for path names that do not begin with a slash (/). If the home directory specified does not exist when the user signs on, the user’s initial working directory is the root (/) directory.

EIM association (EIMASSOC)

Specifies whether an EIM (Enterprise Identity Mapping) association should be added to an EIM identifier for this user.

Note.

  1. This information is not stored in the user profile. This information is not saved or restored with the user profile.
  2. If this system is not configured for EIM, then no processing is done. Not being able to perform EIM operations does not cause the command to fail.

User expiration date (USREXPDATE)

Specifies the date when the user profile expires and is automatically disabled. Use the Display Expiration Schedule (DSPEXPSCD) command to display a list of all user profiles set to expire.

If a user profile is set to expire, the QSECEXP1 job is scheduled to run nightly.

User expiration interval (USREXPITV)

Specifies the expiration interval (in days) before the user profile is automatically disabled. Use the Display User Profile (DSPUSRPRF) command to display the date the user profile expires. Use the Display Expiration Schedule (DSPEXPSCD) command to display a list of all user profiles set to expire.

Advertisements

Note: A value must be specified for this parameter if the User expiration date (USREXPDATE) parameter has a value of *USREXPITV. If the USREXPDATE parameter has a value other than *USREXPITV, no value is allowed for this parameter.

Authority (AUT)

Specifies the authority you are giving to users who do not have specific authority for the object, who are not on an authorization list, and whose group profile or supplemental group profiles do not have specific authority for the object.


Examples

Example 1: Creating a User Profile

CRTUSRPRF   USRPRF(JJADAMS)  PASSWORD(S1CR2T)  SPCAUT(*SAVSYS)
            INLPGM(ARLIB/DSPMENU)

This command creates a user profile with the user name of JJADAMS and a password of S1CR2T. After sign-on, a program called DSPMENU in the ARLIB library is called. The user is granted the save system special authority. Because the other parameters were not specified: (1) The profile has no limit on the amount of storage assigned to it for owned permanent objects; (2) A scheduling priority of 3 is the highest priority that any of the user’s jobs can have; (3) The user-defined description text is blank; (4) There is no group profile associated with this user profile; and (5) No authority is granted for the user profile to other users.

Example 2: Creating a User Profile with the Same User Name and Password

CRTUSRPRF   USRPRF(TMSMITH)  MAXSTG(12)  INLPGM(PROGMR/CALC)
            TEXT('Ted Smith, Dept 410, Application Programs')

This command creates a user profile with the user name of TMSMITH; the password is also TMSMITH because the password was not specified. The maximum permanent storage space the user can use for all objects is 12K (or 12,288 bytes). The initial program called following sign-on is CALC, which is located in the library named PROGMR. The text parameter provides the user’s name, department, and department name. Default values are assigned to the other parameters.

Advertisements

Source : IBM

Advertisements