Here’s the third and final part of the User Function Registration APIs by Example. This week, I put the User Function commands from parts one and two into action. I use the new CHGUSRSTS (Change User Status) command as the basis for this presentation.
As I discussed in part two, the User Function APIs offer a unique method of implementing application-level access control. The User Function facility is primarily targeted at providing and controlling access to resources and functions otherwise not accessible to users that legitimately require this access as part of their job functions.
To demonstrate such a scenario, I’m using the CHGUSRSTS command, which lets authorized help desk personnel enable a disabled user profile and also reset the profile’s password. I have created two access levels by means of the User Function facility. One gives access to reset and enable all user profiles. The other gives access only to user profiles that have a user class of *USER and no inheritance of authority from related and more powerful user profiles.
The user profile functions that the CHGUSRSTS command performs usually require both *SECADM and *ALLOBJ special authority, so for the command to work properly, I have made the CPP adopt its owner’s authority and changed the program object owner to QSECOFR. I then have the CPP initially check the User Function register to ensure that only registered user profiles can run the CHGUSRSTS command.