Create User Profile (CRTUSRPRF)
Where allowed to run: All environments (*ALL)
Threadsafe: NoParameters
Examples
Error messagesThe Create User Profile (CRTUSRPRF) command identifies a user to the system and allows you to customize the way the system appears. When the profile is created, the profile is given *CHANGE and *OBJMGT authorities for the profile itself. The system relies on the profile having these authorities to itself and they should not be removed.
Restrictions: The user of this command must have:
- Security administrator (*SECADM) special authority
- Use (*USE) authority to the initial program, initial menu, job description, message queue, output queue, and attention-key-handling program (if specified)
- Change (*CHANGE) and object management (*OBJMGT) authorities to the group profile and supplemental group profiles (if specified).
Top
Parameters
Keyword Description Choices Notes USRPRF User profile Simple name Required, Positional 1 PASSWORD User password Character value, *USRPRF, *NONE Optional, Positional 2 PWDEXP Set password to expired *NO, *YES Optional STATUS Status *ENABLED, *DISABLED Optional USRCLS User class *USER, *SYSOPR, *PGMR, *SECADM, *SECOFR Optional ASTLVL Assistance level *SYSVAL, *BASIC, *INTERMED, *ADVANCED Optional CURLIB Current library Name, *CRTDFT Optional INLPGM Initial program to call Single values: *NONE
Other values: Qualified object nameOptional Qualifier 1: Initial program to call Name Qualifier 2: Library Name, *LIBL, *CURLIB INLMNU Initial menu Single values: *SIGNOFF
Other values: Qualified object nameOptional Qualifier 1: Initial menu Name, MAIN Qualifier 2: Library Name, *LIBL, *CURLIB LMTCPB Limit capabilities *NO, *PARTIAL, *YES Optional TEXT Text 'description' Character value, *BLANK Optional SPCAUT Special authority Single values: *USRCLS, *NONE
Other values (up to 8 repetitions): *ALLOBJ, *AUDIT, *IOSYSCFG, *JOBCTL, *SAVSYS, *SECADM, *SERVICE, *SPLCTLOptional, Positional 3 SPCENV Special environment *SYSVAL, *NONE, *S36 Optional DSPSGNINF Display sign-on information *SYSVAL, *NO, *YES Optional PWDEXPITV Password expiration interval 1-366, *SYSVAL, *NOMAX Optional LCLPWDMGT Local password management *YES, *NO Optional LMTDEVSSN Limit device sessions *SYSVAL, *YES, *NO Optional KBDBUF Keyboard buffering *SYSVAL, *NO, *TYPEAHEAD, *YES Optional MAXSTG Maximum allowed storage Integer, *NOMAX Optional PTYLMT Highest schedule priority 0-9, 3 Optional JOBD Job description Qualified object name Optional Qualifier 1: Job description Name, QDFTJOBD Qualifier 2: Library Name, *LIBL, *CURLIB GRPPRF Group profile Name, *NONE Optional OWNER Owner *USRPRF, *GRPPRF Optional GRPAUT Group authority *NONE, *ALL, *CHANGE, *USE, *EXCLUDE Optional GRPAUTTYP Group authority type *PRIVATE, *PGP Optional SUPGRPPRF Supplemental groups Single values: *NONE
Other values (up to 15 repetitions): NameOptional ACGCDE Accounting code Character value, *BLANK Optional DOCPWD Document password Name, *NONE Optional MSGQ Message queue Single values: *USRPRF
Other values: Qualified object nameOptional Qualifier 1: Message queue Name Qualifier 2: Library Name, *LIBL, *CURLIB DLVRY Delivery *NOTIFY, *BREAK, *HOLD, *DFT Optional SEV Severity code filter 0-99, 0 Optional PRTDEV Print device Name, *WRKSTN, *SYSVAL Optional OUTQ Output queue Single values: *WRKSTN, *DEV
Other values: Qualified object nameOptional Qualifier 1: Output queue Name Qualifier 2: Library Name, *LIBL, *CURLIB ATNPGM Attention program Single values: *NONE, *SYSVAL, *ASSIST
Other values: Qualified object nameOptional Qualifier 1: Attention program Name Qualifier 2: Library Name, *LIBL, *CURLIB SRTSEQ Sort sequence Single values: *SYSVAL, *HEX, *LANGIDSHR, *LANGIDUNQ
Other values: Qualified object nameOptional Qualifier 1: Sort sequence Name Qualifier 2: Library Name, *LIBL, *CURLIB LANGID Language ID Character value, *SYSVAL Optional CNTRYID Country or region ID Character value, *SYSVAL Optional CCSID Coded character set ID Integer, *SYSVAL, *HEX Optional CHRIDCTL Character identifier control *SYSVAL, *DEVD, *JOBCCSID Optional SETJOBATR Locale job attributes Single values: *SYSVAL, *NONE
Other values (up to 6 repetitions): *CCSID, *DATFMT, *DATSEP, *DECFMT, *SRTSEQ, *TIMSEPOptional LOCALE Locale Path name, *SYSVAL, *NONE, *C, *POSIX Optional USROPT User options Single values: *NONE
Other values (up to 7 repetitions): *CLKWD, *EXPERT, *ROLLKEY, *NOSTSMSG, *STSMSG, *HLPFULL, *PRTMSGOptional UID User ID number 1-4294967294, *GEN Optional GID Group ID number 1-4294967294, *NONE, *GEN Optional HOMEDIR Home directory Path name, *USRPRF Optional EIMASSOC EIM association Single values: *NOCHG
Other values: Element listOptional Element 1: EIM identifier Character value, *USRPRF Element 2: Association type *TARGET, *SOURCE, *TGTSRC, *ADMIN, *ALL Element 3: Association action *REPLACE, *ADD, *REMOVE Element 4: Create EIM identifier *NOCRTEIMID, *CRTEIMID AUT Authority *ALL, *CHANGE, *USE, *EXCLUDE Optional
Top
User profile (USRPRF)
Specifies the user profile to be created. A numeric user profile can be specified. If the user profile is numeric, it must begin with a Q.
This is a required parameter.
- name
- Specify the name of the user profile to be created.
Top
User password (PASSWORD)
Specifies the password that allows the user to sign on the system. The password is associated with a user profile and is used by the system to represent the user in the system. The passwords should be known only to the individual user. A numeric password can be specified.
When the system is operating at password level 0 or 1 and the password is numeric, then the password must begin with a Q, for example, Q1234 where 1234 is the password used for signing on the system.
The password level is controlled by the Password Level (QPWDLVL) system value.
The new password is not checked against the password validation rules. The password validation rules are defined by i5/OS system values. For a description of the password validation rules, see the iSeries Security Reference, SC41-5302 book.
- *USRPRF
- The password for this user is the same as the user name specified on the USRPRF parameter. When the system is operating at password level 2 or 3 and the *USRPRF value was specified for the user profile password, the user must enter their password using upper case characters.
- *NONE
- No password is associated with this user profile. Users cannot sign on a system with a profile that has PASSWORD(*NONE) specified.
- user-password
- When the system is operating at password level 0 or 1, specify an alphanumeric character string of 10 characters or less. The first character must be alphabetic and the other characters must be alphanumeric.
When the system is operating at password level 2 or 3, specify a character string of 128 characters or less. Passwords are case sensitive at password level 2 or 3.
If the local password management (LCLPWDMGT) parameter is *NO, the local i5/OS password will be set to *NONE, so the user would have the same restrictions as specifying *NONE for the password. The password value specified will be sent to other IBM products that do password synchronization (for example, iSeries Integration for Windows Server). See the documentation for the product for information on managing the passwords for the product when LCLPWDMGT(*NO) is specified for the user profile.
Top
Set password to expired (PWDEXP)
Specifies whether the password for this user is set to expired. If the password is set to expired, the user is required to change the password to sign on the system. When the user attempts to sign on the system, the sign-on information display is shown and the user has the option to change this password.
- *NO
- The password is not set to expired.
- *YES
- The password is set to expired.
Top
Status (STATUS)
Specifies the status of the user profile.
The system will disable a user profile if the number of failed sign-on attempts reaches the limit specified on the QMAXSIGN system value and option 2 or 3 has been specified on the QMAXSGNACN system value.
- *ENABLED
- The user profile is valid for sign-on.
- *DISABLED
- The user profile is not valid for sign-on until an authorized user enables it again. Batch jobs can be submitted under a disabled user profile.
Top
User class (USRCLS)
Specifies the type of user associated with this user profile: security officer, security administrator, programmer, system operator, or user. The user class controls the options that are shown on a menu. Special authorities are given only if *USRCLS is specified for the Special authority (SPCAUT) parameter. If SPCAUT(*USRCLS) is specified, the special authorities granted will differ depending on the QSECURITY value.
- *USER
- At QSECURITY level 10 or 20, the user has *ALLOBJ and *SAVSYS authority.
At QSECURITY level 30 or above, the user has no special authorities.
- *SECOFR
- At all levels of security, the security officer is granted the following special authorities:
- *ALLOBJ
- *SAVSYS
- *JOBCTL
- *SERVICE
- *SPLCTL
- *SECADM
- *AUDIT
- *IOSYSCFG
- *SECADM
- At QSECURITY level 10 or 20, the security administrator has *ALLOBJ, *SAVSYS, *SECADM, and *JOBCTL special authorities.
At QSECURITY level 30 or above, the user has *SECADM special authority.
- *PGMR
- At QSECURITY level 10 or 20, the programmer has *ALLOBJ, *SAVSYS, and *JOBCTL special authorities.
At QSECURITY level 30 or above, the user has no special authorities.
- *SYSOPR
- At QSECURITY level 10 or 20, the system operator has *ALLOBJ, *SAVSYS, and *JOBCTL special authorities.
At QSECURITY level 30 or above, the user has *SAVSYS and *JOBCTL special authorities.
Top
Assistance level (ASTLVL)
Specifies which user interface to use.
- *SYSVAL
- The assistance level defined in the system value QASTLVL is used.
- *BASIC
- The Operational Assistant user interface is used.
- *INTERMED
- The system interface is used.
- *ADVANCED
- The expert system interface is used. To allow for more list entries, option keys and function keys are not displayed. If a command does not have an advanced (*ADVANCED) level, the intermediate (*INTERMED) level is used.
Top
Current library (CURLIB)
Specifies the name of the current library associated with the job being run.
Specifies the name of the library to be used as the current library for this user. If *PARTIAL or *YES is specified for the Limit capabilities (LMTCPB) parameter of the Create User Profile (CRTUSRPRF) or Change User Profile (CHGUSRPRF) command, the user cannot change the current library at sign-on or with the Change Profile (CHGPRF) command.
- *CRTDFT
- This user has no current library. The library QGPL is used as the default current library.
- name
- Specify the name of the library to use as the current library for this user.
Top
Initial program to call (INLPGM)
Specifies, for an interactive job, the program called whenever a new routing step is started that has QCMD as the request processing program. If *PARTIAL or *YES is specified for the Limit capabilities (LMTCPB) parameter, the program value cannot be changed at sign on or by using the Change Profile (CHGPRF) command. No parameters can be passed to the program.
A System/36 environment procedure name can be specified as the initial program if the procedure is a member of the file QS36PRC (in the library list or specified library) and if either of the following conditions are true:
- *S36 is specified on the SPCENV parameter.
- *SYSVAL is specified on the SPCENV parameter and the system value, QSPCENV, is *S36.
Single values
- *NONE
- No program is called when the user signs on. If a menu name is specified in the Initial menu (INLMNU) parameter, that menu is displayed.
Qualifier 1: Initial program to call
- name
- Specify the name of the program that is called when the user signs on.
Qualifier 2: Library
- *LIBL
- All libraries in the library list for the current thread are searched until the first match is found.
- *CURLIB
- The current library for the job is used to locate the program. If no library is specified as the current library for the job, QGPL is used.
- name
- Specify the name of the library where the initial program is located.
Top
Initial menu (INLMNU)
Specifies the initial menu displayed when the user signs on the system if the user's routing program is the command processor QCMD. If *YES is specified for the Limit capabilities (LMTCPB) parameter, the user cannot change the menu either at sign-on or with the Change Profile (CHGPRF) command.
A System/36 environment menu can be specified as the initial menu if either of the following conditions are true:
- *S36 is specified for the Special environment (SPCENV) parameter.
- *SYSVAL is specified on the SPCENV parameter and the system value, QSPCENV, is *S36.
Single values
- MAIN
- The menu named MAIN is located and shown.
- *SIGNOFF
- The system signs off the user when the program completes. This is intended for users authorized only to run the program.
Qualifier 1: Initial menu
- name
- Specify the name of the initial menu called after the user signs on the system.
Qualifier 2: Library
- *LIBL
- All libraries in the library list for the current thread are searched until the first match is found.
- *CURLIB
- The current library for the job is used to locate the menu. If no library is specified as the current library for the job, QGPL is used.
- name
- Specify the nameof the library where the initial menu is located.
Top
Limit capabilities (LMTCPB)
Specifies the limit to which the user can control the program, menu, current library, and the ATTN key handling program values. It also determines whether the user can run commands from a command line. This parameter is ignored when the security level is 10.
When creating or changing other users' user profiles, you cannot specify values on this parameter that grant greater capabilities to other users than your own user profile grants to you. For example, if *PARTIAL is specified for the Limit capabilities (LMTCPB) parameter in your user profile, you can specify *PARTIAL or *YES for another user. You cannot specify *NO for another user.
- *NO
- The program, menu, and current library values can be changed when the user signs on the system. Users may change the program, menu, current library, or ATTN key handling program values in their own user profiles with the Change Profile (CHGPRF) command. Commands can be run from a command line.
- *PARTIAL
- The program and current library cannot be changed on the sign-on display. The menu can be changed and commands can be run from a command line. A user can change the menu value with the Change Profile (CHGPRF) command. The program, current library, and the ATTN key handling program cannot be changed using the CHGPRF command.
- *YES
- The program, menu, and current library values cannot be changed on the sign-on display. Commands cannot be run when issued from a command line or by selecting an option from a command grouping menu such as CMDADD, but can still be run from a command entry screen. The user cannot change the program, menu, current library, or the ATTN key program handling values by using the CHGPRF command.
Top
Text 'description' (TEXT)
Specifies the text that briefly describes the object.
- *BLANK
- No text is specified.
- 'description'
- Specify no more than 50 characters of text, enclosed in apostrophes.
Top
Special authority (SPCAUT)
Specifies the special authorities given to a user. Special authorities are required to perform certain functions on the system. Special authorities cannot be removed from many of the system-supplied user profiles, including QSECOFR and QSYS.
The following special authorities are usually given:
- Save system (*SAVSYS) special authority to users who need to operate the system.
- Input/output system configuration (*IOSYSCFG) special authority to users who need to change system I/O configurations.
- Job control (*JOBCTL) special authority is given to the user. The user is given the authority to change, display, hold, release, cancel, and clear all jobs that are running on the system or that are on a job queue or output queue that has OPRCTL (*YES) specified. The user also has the authority to load the system, to start writers, and to stop active subsystems.
- Security administrator (*SECADM) special authority to users who need to create, change, or delete user profiles.
- All object (*ALLOBJ) special authority to users who need to work with system resources.
- Service (*SERVICE) special authority to users who need to perform service functions.
- Spool control (*SPLCTL) special authority to users who need to perform all spool-related functions.
- Audit (*AUDIT) special authority to users who need to perform auditing functions.
Restrictions:
- The user profile creating or changing another user profile must have all of the special authorities being given. All special authorities are needed to give all special authorities to another user profile.
- A user must have *ALLOBJ and *SECADM special authorities to give a user *SECADM special authority when using the CHGUSRPRF command.
- The user must have *ALLOBJ, *SECADM, and *AUDIT special authorities to give a user *AUDIT special authority when using the CHGUSRPRF command.
Single values
- *USRCLS
- Special authorities are granted to this user based on the value specified on User class (USRCLS) parameter.
- *NONE
- No special authorities are granted to this user.
Other values
- *ALLOBJ
- All object authority is given to the user. The user can access any system resource with or without private user authorizations.
- *AUDIT
- Audit authority is granted to this user. The user is given the authority to perform auditing functions. Auditing functions include turning auditing on or off for the system and controlling the level of auditing on an object or user.
- *JOBCTL
- Job control authority is given to the user. The user has authority to change, display, hold, release, cancel, and clear all jobs that are running on the system or that are on a job queue or output queue that has OPRCTL (*YES) specified. The user also has the authority to start writers and to stop active subsystems.
- *SAVSYS
- Save system authority is given to the user profile. This user has the authority to save, restore, and free storage for all objects on the system, with or without object management authority.
- *IOSYSCFG
- Input/output (I/O) system configuration authority is given to the user. The user has authority to change system I/O configurations.
- *SECADM
- Security administrator authority is given to the user. The user can create, change, or delete user profiles if authorized to the Create User Profile (CRTUSRPRF), Change User Profile (CHGUSRPRF), or Delete User Profile (DLTUSRPRF) commands and is authorized to the user profile. This authority does not allow giving special authorities that this user profile does not have. To give *SECADM special authority to another user, a user must have both *ALLOBJ and *SECADM special authorities.
- *SERVICE
- Service authority is given to this user. The user can perform service functions.
- *SPLCTL
- Spool control authority is given to this user. The user can perform all spool functions.
Top
Special environment (SPCENV)
Specifies the special environment in which the user operates after signing on.
- *SYSVAL
- The system value, QSPCENV, is used to determine the system environment after the user signs on the system.
- *NONE
- The user operates in the i5/OS system environment after signing on the system.
- *S36
- The user operates in the System/36 environment after signing on the system.
Top
Display sign-on information (DSPSGNINF)
Specifies whether the sign-on information display is shown.
- *SYSVAL
- The system value QDSPSGNINF is used to determine whether the sign-on information display is shown.
- *NO
- The sign-on information display is not shown.
- *YES
- The sign-on information display is shown.
Top
Password expiration interval (PWDEXPITV)
Specifies the password expiration interval (in days).
- *SYSVAL
- The system value QPWDEXPITV is used to determine the password expiration interval.
- *NOMAX
- The password does not expire.
- 1-366
- Specify the number of days between the date when the password is changed and the date when the password expires. Valid values range from 1 through 366.
Top
Local password management (LCLPWDMGT)
Specifies whether the user profile password should be managed locally.
- *YES
- Password will be managed on the local system.
- *NO
- Password will not be managed on the local system. Specifying this value will cause the local i5/OS password to be set to *NONE. The password value specified in the password parameter will be sent to other IBM products that do password synchronization (for example, iSeries Integration for Windows Server).
The user will not be able to change their own password using the Change Password (CHGPWD) command. They also will not be able to sign on to the system directly.
Specifying this value will affect other IBM products that do password synchronization, like iSeries Integration for Windows Server. See the documentation for the product for details.
This value should be used if the user only needs to access the system through some other platform, such as Windows.
Top
Limit device sessions (LMTDEVSSN)
Specifies if the number of device sessions allowed for a user is limited to 1. This does not limit SYSREQ and second sign-on.
- *SYSVAL
- The system value QLMTDEVSSN is used to determine whether the user is limited to a single device session.
- *NO
- The user is not limited to a single device session.
- *YES
- The user is limited to a single device session.
Top
Keyboard buffering (KBDBUF)
Specifies the keyboard buffering value to be used when a job is initialized for this user profile. If the type-ahead feature is active, you can buffer your keyboard strokes. If the attention key buffering option is active, the attention key is buffered as any other key. If it is not active, the attention key is not buffered and is sent to the system even if the display station is input-inhibited. This value can also be set by a user application. More information is in the System API Reference information in the iSeries Information Center at http://www.ibm.com/eserver/iseries/infocenter.
- *SYSVAL
- The system value, QKBDBUF, is used to determine the keyboard buffering value.
- *NO
- The type-ahead feature and attention key buffering option are not active.
- *TYPEAHEAD
- The type-ahead feature is active, but the attention key buffering option is not.
- *YES
- The type-ahead feature and attention key buffering option are active.
Top
Maximum allowed storage (MAXSTG)
Specifies the maximum amount of auxiliary storage (in kilobytes) assigned to store permanent objects owned by this user profile (1 kilobyte equals 1024 bytes). If the maximum is exceeded when an interactive user tries to create an object, an error message is displayed, and the object is not created. If the maximum is exceeded when an object is created in a batch job, an error message is sent to the job log (depending on the logging level of the job), and the object is not created.
Storage is allocated in 4K increments. Therefore, if you specify MAXSTG (9), the profile is allocated 12K of storage.
When planning maximum storage for user profiles, consider the following system actions:
- A restore operation assigns the storage to the user doing the restore, and then transfers the object to the owner. For a large restore, specify MAXSTG(*NOMAX).
- The user profile that creates a journal receiver is assigned the required storage as the receiver size grows. If new receivers are created using JRNRCV(*GEN), the storage continues to be assigned to the user profile that owns the active journal receiver. If a very active journal receiver is owned, specify MAXSTG(*NOMAX).
- User profiles that transfer created objects to their group profile must have adequate storage in the user profiles to contain created objects before the objects are transferred to the group profile.
- The owner of the library is assigned the storage for the descriptions of objects which are stored in a library, even when the objects are owned by another user profile. Examples of such objects are text and program references.
- *NOMAX
- As much storage as is required is assigned to this profile.
- number
- Specify the maximum amount of storage for the user, in kilobytes (1 kilobyte equals 1024 bytes).
Top
Highest schedule priority (PTYLMT)
Specifies the highest scheduling priority the user is allowed to have for each job submitted to the system. This value controls the job processing priority and output priority for any job running under this user profile; that is, values specified in the JOBPTY and OUTPTY parameters of any job command cannot exceed the PTYLMT value of the user profile under which the job is run. The scheduling priority can have a value ranging from 0 through 9, where 0 is the highest priority and 9 is the lowest priority.
- 3
- The user named in this profile can have a priority value no higher than 3 for scheduling jobs on the system.
- 0-9
- Specify a value ranging from 0 through 9 for the highest scheduling priority that the user is allowed.
Top
Job description (JOBD)
Specifies the job description used for jobs that start through subsystem work station entries. If the job description does not exist when the user profile is created or changed, a library qualifier must be specified, because the job description name is kept in the user profile.
Qualifier 1: Job description
- QDFTJOBD
- The default system-supplied job description found in library QGPL is used.
- name
- Specify the name of job description used for the work station entries whose job description parameter values indicate the user JOBD(*USRPRF).
Qualifier 2: Library
- *LIBL
- All libraries in the library list for the current thread are searched until the first match is found.
- *CURLIB
- The current library for the thread is searched. If no library is specified as the current library for the thread, the QGPL library is used.
- name
- Specify the name of the library to be searched.
Top
Group profile (GRPPRF)
Specifies the user's group profile name whose authority is used if no specific authority is given for the user. The current user of this command must have object management (*OBJMGT) and change (*CHANGE) authority to the profile specified for the Group profile (GRPPRF) parameter. The required *OBJMGT authority cannot be given by a program adopt operation.
- When a group profile is specified, the user is automatically granted *CHANGE and *OBJMGT authority to the group profile.
- The following IBM-supplied objects are not valid on this parameter.
QANZAGENT, QAUTPROF, QCLUMGT, QCLUSTER, QCOLSRV, QDBSHR, QDBSHRDO, QDFTOWN, QDIRSRV, QDLFM, QDOC, QDSNX, QEJB, QFNC, QGATE, QIBMHELP, QIPP, QLPAUTO, QLPINSTALL, QMGTC, QMSF, QNETSPLF, QNFSANON, QNTP, QPEX, QPM400, QRJE, QSNADS, QSPL, QSPLJOB, QSRV, QSRVAGT, QSRVBAS, QSYS, QTCM, QTCP, QTFTP, QTSTRQS, QYCMCIMOM, QYPSJSVR
- *NONE
- This user profile has no group profile.
- name
- Specify the name of the group profile used with this user profile.
Top
Owner (OWNER)
Specifies the user profile that is to be the owner of objects created by this user.
- *USRPRF
- The user profile associated with the job is the owner of the object.
- *GRPPRF
- The group profile is made the owner of newly created objects and has all authority to the object. The user profile associated with the job does not have any specific authority to the object. If *GRPPRF is specified, a user profile name must be specified for the Group profile (GRPPRF) parameter, and the Group authority (GRPAUT) parameter cannot be specified.
Top
Group authority (GRPAUT)
The specific authority given to the group profile for newly created objects. If *GRPPRF is specified for the Owner (OWNER) parameter, specification of this parameter is not allowed.
- *NONE
- No group authority is given.
- *ALL
- The user can perform all operations except those limited to the owner or controlled by authorization list management (*AUTLMGT) authority. The user can control the object's existence, specify the security for the object, change the object, and perform basic functions on the object. The user also can change ownership of the object.
- *CHANGE
- The user can perform all operations on the object except those limited to the owner or controlled by object existence (*OBJEXIST) and object management (*OBJMGT) authorities. The user can change and perform basic functions on the object. *CHANGE authority provides object operational (*OBJOPR) authority and all data authority. If the object is an authorization list, the user cannot add, change, or remove users.
- *USE
- The user can perform basic operations on the object, such as running a program or reading a file. The user cannot change the object. Use (*USE) authority provides object operational (*OBJOPR), read (*READ), and execute (*EXECUTE) authorities.
- *EXCLUDE
- The user cannot access the object.
Top
Group authority type (GRPAUTTYP)
Specifies the type of authority to be granted to the group profile for newly-created objects. If *NONE is specified for the Group authority (GRPAUT) parameter, specification of this parameter is ignored.
- *PRIVATE
- The group profile is granted private authority to newly-created objects, with the authority value determined by the GRPAUT parameter. If the authority value in the GRPAUT parameter is *NONE, this value is ignored.
- *PGP
- The group profile is be the primary group for newly-created objects, with the authority value determined by the GRPAUT parameter. If the authority value in the GRPAUT parameter is *NONE, this value is ignored.
Top
Supplemental groups (SUPGRPPRF)
Specifies the user's supplemental group profiles. The profiles specified here, along with the group profile specified for the Group profile (GRPPRF) parameter, are used to determine what authority the user has if no specific user authority is given for the job. If profiles are specified for this parameter, a group profile name must be specified on the GRPPRF parameter for this user profile (either on this command or on a previous Create User Profile (CRTUSRPRF) or Change User Profile (CHGUSRPRF) command. The current user of this command must have object management (*OBJMGT) and change (*CHANGE) authority to the profiles specified for this. The required *OBJMGT authority cannot be given by a program adopt operation.
Notes:
- When a group profile is specified, the user is automatically granted *CHANGE and *OBJMGT authority to the group profile.
- The following IBM-supplied user profiles are not valid for this parameter:
QANZAGENT, QAUTPROF, QCLUMGT, QCLUSTER, QCOLSRV, QDBSHR, QDBSHRDO, QDFTOWN, QDIRSRV, QDLFM, QDOC, QDSNX, QEJB, QFNC, QGATE, QIBMHELP, QIPP, QLPAUTO, QLPINSTALL, QMGTC, QMSF, QNETSPLF, QNFSANON, QNTP, QPEX, QPM400, QRJE, QSNADS, QSPL, QSPLJOB, QSRV, QSRVAGT, QSRVBAS, QSYS, QTCM, QTCP, QTFTP, QTSTRQS, QYCMCIMOM, QYPSJSVR
- *NONE
- No supplemental group profiles are used with this user profile.
- name
- Specify a maximum of 15 group profile names used with this user profile and the group profile specified on the GRPPRF parameter to determine a job's eligibility for getting access to existing objects and special authority.
Top
Accounting code (ACGCDE)
Specifies the accounting code that is associated with this user profile.
- *BLANK
- An accounting code consisting of 15 blanks is assigned to this user profile.
- character-value
- Specify the 15-character accounting code to be used by jobs that get their accounting code from this user profile. If less than 15 characters are specified, the string is padded on the right with blanks.
Top
Document password (DOCPWD)
Specifies the document password that allows Document Interchange Architecture (DIA) document distribution services users protect personal distributions from being used by people who work on their behalf.
- *NONE
- No document password is used by this user.
- name
- Specify the document password to be assigned to this user. The password must range from 1 through 8 alphanumeric characters (letters A through Z and numbers 0 through 9). The first character of the document password must be alphabetic; the remaining characters can be alphanumeric. Embedded blanks, leading blanks, and special characters are not valid.
Top
Message queue (MSGQ)
Specifies the message queue to which messages are sent.
The message queue is created, if it does not already exist. The user profile specified for the User profile (USRPRF) parameter is the owner of the message queue.
Single values
- *USRPRF
- A message queue with the same name as that specified for the USRPRF parameter is used as the message queue for this user. This message queue is located in the QUSRSYS library.
Qualifier 1: Message queue
- name
- Specify the name of the message queue to be used with this profile.
Qualifier 2: Library
- *LIBL
- All libraries in the library list for the current thread are searched until the first match is found.
- *CURLIB
- The current library for the thread is searched. If no library is specified as the current library for the thread, the QGPL library is used.
- name
- Specify the name of the library to be searched.
Top
Delivery (DLVRY)
Specifies how messages are sent to the message queue for this user are to be delivered.
- *NOTIFY
- The job to which the message queue is assigned is notified when a message arrives at the message queue. For interactive jobs at a work station, the audible alarm is sounded (if the alarm feature is set) and the Message Waiting light is turned on. The delivery mode cannot be changed to *NOTIFY if the message queue is also being used by another job.
- *HOLD
- The messages are held in the message queue until they are requested by the user or program.
- *BREAK
- The job to which the message queue is assigned is interrupted when a message arrives at the message queue. If the job is an interactive job, the audible alarm is sounded (if the alarm feature is set). The delivery mode cannot be changed to *BREAK if the message queue is also being used by another job.
- *DFT
- The default reply to the inquiry message is sent. If no default reply is specified in the message description of the inquiry message, the system default reply, *N, is used.
Top
Severity code filter (SEV)
Specifies the lowest severity code that a message can have and still be delivered to a user in break or notify mode. Messages arriving at the message queue whose severities are lower than the severity code specified for this parameter do not interrupt the job or turn on the audible alarm or the message-waiting light; they are held in the queue until they are requested by using the Display Message (DSPMSG) command. If *BREAK or *NOTIFY is specified for the Delivery (DLVRY) parameter, and is in effect when a message arrives at the queue, the message is delivered if the severity code associated with the message is equal or greater then the value specified here. Otherwise, the message is held in the queue until it is requested.
- 0
- If a severity code is not specified, 0 is used.
- 0-99
- Specify a severity code ranging from 00 through 99.
Top
Print device (PRTDEV)
Specifies the default printer device for this user. If the printer file used to create printed output specifies to spool the data, the spooled file is placed on the device's output queue, which is named the same as the device.
This assumes the defaults are specified for the Output queue (OUTQ) parameter for the printer file, job description, user profile and workstation.
- *WRKSTN
- The printer assigned to the user's work station is used.
- *SYSVAL
- The value specified in the system value QPRTDEV is used.
- name
- Specify the name of a printer that is to be used to print the output for this user.
Top
Output queue (OUTQ)
Specifies the output queue to be used by this user profile. The output queue must already exist when this command is run.
Single values
- *WRKSTN
- The output queue assigned to the user's work station is used.
- *DEV
- The output queue associated with the printer specified for the Print device (PRTDEV) parameter is used. The output queue has the same name as the printer. (The printer file DEV parameter is determined by the CRTPRTF, CHGPRTF, or the OVRPRTF command).
This assumes the defaults are specified for the Output queue (OUTQ) parameter for the printer file, job description, user profile and workstation.
Qualifier 1: Output queue
- name
- Specify the name of the output queue to be used by this user profile.
Qualifier 2: Library
- *LIBL
- All libraries in the library list for the current thread are searched until the first match is found.
- *CURLIB
- The current library for the thread is searched. If no library is specified as the current library for the thread, the QGPL library is used.
- name
- Specify the name of the library to be searched.
Top
Attention program (ATNPGM)
Specifies the program to be used as the Attention (ATTN) key handling program for this user. The ATTN key handling program is called when the ATTN key is pressed during an interactive job. The program is active only when the user routes to the system-supplied QCMD command processor. The ATTN key handling program is set on before the initial program (if any) is called and it is active for both program and menu. If the program changes the ATNPGM (by using the SETATNPGM command), the new program remains active only for the duration of the program. When control returns and QCMD calls the menu, the original ATTN key handling program becomes active again. If the SETATNPGM command is run from the menus or an application is called from the menus, the new ATTN key handling program that is specified overrides the original ATTN key handling program. If *YES or *PARTIAL is specified for the Limit capabilities (LMTCPB) parameter on the Create User Profile (CRTUSRPRF) or Change User Profile (CHGUSRPRF) command, the ATTN key handling program cannot be changed.
Single values
- *SYSVAL
- The system value QATNPGM is used.
- *NONE
- No ATTN key handling program is used by this user.
- *ASSIST
- The Operational Assistant ATTN key handling program, QEZMAIN, is used.
Qualifier 1: Attention program
- name
- Specifies the name of the ATTN key handling program to be used for this user profile.
Qualifier 2: Library
- *LIBL
- All libraries in the library list for the current thread are searched until the first match is found.
- *CURLIB
- The current library for the thread is searched. If no library is specified as the current library for the thread, the QGPL library is used.
- name
- Specify the name of the library to be searched.
Top
Sort sequence (SRTSEQ)
Specifies the sort sequence table to be used for string comparisons for this profile.
Single values
- *SYSVAL
- The system value QSRTSEQ is used.
- *HEX
- A sort sequence table is not used. The hexadecimal values of the characters are used to determine the sort sequence.
- *LANGIDUNQ
- A unique-weight sort table is used.
- *LANGIDSHR
- A shared-weight sort table is used.
Qualifier 1: Sort sequence
- name
- Specify the name of the sort sequence table to be used with this profile.
Qualifier 2: Library
- *LIBL
- All libraries in the library list for the current thread are searched until the first match is found.
- *CURLIB
- The current library for the thread is searched. If no library is specified as the current library for the thread, the QGPL library is used.
- name
- Specify the name of the library to be searched.
Top
Language ID (LANGID)
Specifies the language identifier to be used for this user.
- *SYSVAL
- The system value QLANGID is used.
- language-identifier
- Specify the language identifier to be used. More information on valid language identifiers is in the Globalization topic in the iSeries Information Center at http://www.ibm.com/eserver/iseries/infocenter .
Top
Country or region ID (CNTRYID)
Specifies the country or region identifier to be used for this user.
- *SYSVAL
- The system value QCNTRYID is used.
- character-value
- Specify a country or region identifier. To see a complete list of identifiers when prompting this command, position the cursor on the field for this parameter and press F4 (Prompt).
Top
Coded character set ID (CCSID)
Specifies the coded character set identifier (CCSID) to be used for this user.
A CCSID is a 16-bit number identifying a specific set of encoding scheme identifiers, character set identifiers, code page identifiers, and additional coding-related information that uniquely identifies the coded graphic representation used.
If the value for CCSID is changed, the change does not affect jobs that are currently running.
- *SYSVAL
- The system value QCCSID is used.
- *HEX
- The CCSID 65535 is used.
- identifier
- Specify the CCSID to be used for this user profile. More information on valid CCSIDs is in the Globalization information in the iSeries Information Center at http://www.ibm.com/eserver/iseries/infocenter.
Top
Character identifier control (CHRIDCTL)
Specifies the character identifier control (CHRIDCTL) for the job. This attribute controls the type of coded character set identifier (CCSID) conversion that occurs for display files, printer files and panel groups. The *CHRIDCTL special value must be specified for the Character identifier (CHRID) parameter on the create, change, or override commands for display files, printer files, and panel groups before this attribute will be used.
- *SYSVAL
- The system value QCHRIDCTL is used.
- *DEVD
- The *DEVD special value performs the same function as on the CHRID command parameter for display files, printer files, and panel groups.
- *JOBCCSID
- The *JOBCCSID special value performs the same function as on the CHRID command parameter for display files, printer files, and panel groups.
Top
Locale job attributes (SETJOBATR)
Specifies which job attributes are to be taken from the locale specified for the Locale (LOCALE) parameter when the job is initiated.
Single values
- *SYSVAL
- The system value, QSETJOBATR, is used to determine which job attributes are taken from the locale.
- *NONE
- No job attributes are taken from the locale.
Other values
- *CCSID
- The coded character set identifier from the locale is used. The CCSID value from the locale overrides the user profile CCSID.
- *DATFMT
- The date format from the locale is used.
- *DATSEP
- The date separator from the locale is used.
- *DECFMT
- The decimal format from the locale is used.
- *SRTSEQ
- The sort sequence from the locale is used. The sort sequence from the locale overrides the user profile sort sequence.
- *TIMSEP
- The time separator from the locale is used.
Top
Locale (LOCALE)
Specifies the path name of the locale that is assigned to the LANG environment variable for this user.
- *SYSVAL
- The system value QLOCALE is used to determine the locale path name to be assigned for this user.
- *NONE
- No locale path name is assigned for this user.
- *C
- The C locale path name is assigned for this user.
- *POSIX
- The POSIX locale path name is assigned for this user.
- 'path-name'
- Specify the path name of the locale to be assigned for this user.
Top
User options (USROPT)
Specifies the level of help information detail to be shown and the function of the Page Up and Page Down keys by default. The system shows several displays that are suitable for the inexperienced user. More experienced users must perform an extra action to see detailed information. When values are specified for this parameter, the system presents detailed information without further action by the experienced user.
Single values
- *NONE
- Detailed information is not shown.
Other values
- *CLKWD
- Parameter keywords are shown instead of the possible parameter values when a control language (CL) command is prompted.
- *EXPERT
- More detailed information is shown when the user is performing display and edit options to define or change the system (such as edit or display object authority).
- *ROLLKEY
- The actions of the Page Up and Page Down keys are reversed.
- *NOSTSMSG
- Status messages are not displayed when sent to the user.
- *STSMSG
- Status messages are displayed when sent to the user.
- *HLPFULL
- Help text is shown on a full display rather than in a window.
- *PRTMSG
- A message is sent to this user's message queue when a spooled file for this user is printed or held by the printer writer.
Top
User ID number (UID)
Specifies the user ID number (uid number) for this user profile. The uid number is used to identify the user when the user is using the directory file system. The uid number for a user cannot be changed if there are one or more active jobs for the user.
- *GEN
- The uid number is generated for the user. The system generates a uid number that is not already assigned to another user. The uid number generated is greater than 100.
- number
- Specify the uid number to be assigned to the user profile. A value from 1 to 4294967294 can be entered. The uid number assigned must not already be assigned to another user profile.
Top
Group ID number (GID)
Specify the group ID number (gid number) for this user profile. The gid number is used to identify the group profile when a member of the group is using the directory file system. The gid number for a user may not be changed if:
- The user profile is the primary group of an object in a directory.
- There are one or more active jobs for the user.
- *NONE
- The user does not have a gid number or an existing gid number is removed.
- *GEN
- The gid number will be generated for the user. The system generates a gid number that is not already assigned to another user. The gid number generated is greater than 100.
- number
- Spcify the gid number to be assigned to the user profile. A value from 1 to 4294967294 can be entered. The gid number assigned must not already be assigned to another user profile.
Top
Home directory (HOMEDIR)
Specifies the path name of the home directory for this user profile. The home directory is the user's initial working directory. The working directory, associated with a process, is used during path name resolution in the directory file system for path names that do not begin with a slash (/). If the home directory specified does not exist when the user signs on, the user's initial working directory is the root (/) directory.
- *USRPRF
- The home directory assigned to the user will be /home/USRPRF, where USRPRF is the name of the user profile.
- 'path-name'
- Specify the path name of the home directory to be assigned to this user.
For more information on specifying path names, refer to "Object naming rules" in the CL concepts and reference topic in the iSeries Information Center at http://www.ibm.com/eserver/iseries/infocenter.
Top
EIM association (EIMASSOC)
Specifies whether an EIM (Enterprise Identity Mapping) association should be added to an EIM identifier for this user.
Note.
- This information is not stored in the user profile. This information is not saved or restored with the user profile.
- If this system is not configured for EIM, then no processing is done. Not being able to perform EIM operations does not cause the command to fail.
Single values
- *NOCHG
- EIM association will not be added.
Element 1: EIM identifier
Specifies the EIM identifier for this association.
- *USRPRF
- The name of the EIM identifer is the same name as the user profile.
- character-value
- Specify the name of the EIM identifier.
Element 2: Association type
Specifies the type of association. IBM recommends that a target association is added for an i5/OS user.
Target associations are primarily used to secure existing data. They will be found as the result of a mapping lookup operation (that is, eimGetTargetFromSource()), but cannot be used as the source identity for a mapping lookup operation.
Source associations are primarily for authentication purposes. They can be used as the source identity of a mapping lookup operation, but will not be found as the target of a mapping lookup operation.
Administrative associations are used to show that an identity is associated with an EIM identifier, but cannot be used as the source for, and will not be found as the target of, a mapping lookup operation.
- *TARGET
- Process a target association.
- *SOURCE
- Process a source association.
- *TGTSRC
- Process both a target and a source association.
- *ADMIN
- Process an administrative association.
- *ALL
- Process all association types.
Element 3: Association action
- *REPLACE
- Associations of the specified type will be removed from all EIM identifiers that have an association for this user profile and local EIM registry. A new association will be added to the specified EIM identifier.
- *ADD
- Add an association.
- *REMOVE
- Remove an association.
Element 4: Create EIM identifier
Specifies whether the EIM identifier should be created if it does not already exist.
- *NOCRTEIMID
- EIM identifier does not get created.
- *CRTEIMID
- EIM identifier gets created if it does not exist.
Top
Authority (AUT)
Specifies the authority you are giving to users who do not have specific authority for the object, who are not on an authorization list, and whose group profile or supplemental group profiles do not have specific authority for the object.
- *EXCLUDE
- The user cannot access the object.
- *ALL
- The user performs all operations on the object except those limited to the owner.
- *CHANGE
- The user can perform all operations on the object except those limited to the owner or controlled by object existence (*OBJEXIST) and object management (*OBJMGT) authorities. The user can change and perform basic functions on the object. *CHANGE authority provides object operational (*OBJOPR) authority and all data authority. If the object is an authorization list, the user cannot add, change, or remove users.
- *USE
- The user can perform basic operations on the object, such as running a program or reading a file. The user cannot change the object. Use (*USE) authority provides object operational (*OBJOPR), read (*READ), and execute (*EXECUTE) authorities.
Top
Examples
Example 1: Creating a User Profile
CRTUSRPRF USRPRF(JJADAMS) PASSWORD(S1CR2T) SPCAUT(*SAVSYS) INLPGM(ARLIB/DSPMENU)This command creates a user profile with the user name of JJADAMS and a password of S1CR2T. After sign-on, a program called DSPMENU in the ARLIB library is called. The user is granted the save system special authority. Because the other parameters were not specified: (1) The profile has no limit on the amount of storage assigned to it for owned permanent objects; (2) A scheduling priority of 3 is the highest priority that any of the user's jobs can have; (3) The user-defined description text is blank; (4) There is no group profile associated with this user profile; and (5) No authority is granted for the user profile to other users.
Example 2: Creating a User Profile with the Same User Name and Password
CRTUSRPRF USRPRF(TMSMITH) MAXSTG(12) INLPGM(PROGMR/CALC) TEXT('Ted Smith, Dept 410, Application Programs')This command creates a user profile with the user name of TMSMITH; the password is also TMSMITH because the password was not specified. The maximum permanent storage space the user can use for all objects is 12K (or 12,288 bytes). The initial program called following sign-on is CALC, which is located in the library named PROGMR. The text parameter provides the user's name, department, and department name. Default values are assigned to the other parameters.
Top
Error messages
*ESCAPE Messages
- CPF22CE
- The &1 value &2 is used by another user profile.
- CPF22CF
- User profile not allowed to be a group profile.
- CPF22DB
- The user profile being changed must have a GID.
- CPF22DF
- Unable to process request for user profile &1.
- CPF22EB
- Unable to process request for user profile &1.
- CPF22E1
- USROPT parameter cannot specify *STSMSG and *NOSTSMSG.
- CPF22F1
- Coded character set identifier &1 not valid.
- CPF22F3
- &1 specified a LMTCPB value that is not permitted.
- CPF22F5
- Value for new password not allowed at password level &2.
- CPF2202
- Do not have authority to create user profile.
- CPF2209
- Library &1 not found.
- CPF2213
- Not able to allocate user profile &1.
- CPF2214
- User profile &1 already exists.
- CPF2225
- Not able to allocate internal system object.
- CPF224A
- User profile &1 cannot have a GID and be a member of a group.
- CPF2242
- Object &1 type *&2 not found in library list.
- CPF2244
- Object &1 type *&2 cannot be found.
- CPF225A
- User profile name specified on both USRPRF and SUPGRPPRF parameters.
- CPF2259
- Group profile &1 not found.
- CPF2260
- User profile &2 was not created or changed. Reason code &3.
- CPF2261
- OWNER or GRPAUT value not permitted.
- CPF2262
- Value for GRPAUT not correct.
- CPF2269
- Special authority *ALLOBJ required when granting *SECADM or *AUDIT.
- CPF2272
- Cannot allocate user profile &1.
- CPF2291
- User profile does not have all special authorities being granted.
- CPF2292
- *SECADM required to create or change user profiles.
- CPF2293
- Storage limit exceeded for user profile &1.
- CPF9802
- Not authorized to object &2 in &3.
- CPF9820
- Not authorized to use library &1.
- CPF9825
- Not authorized to device &1.
Top