ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvplangrpprof.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Plan group profiles" />
<meta name="abstract" content="This topic describes the purpose of group profiles and how to design them. Use group profiles to define authorities for a group of users, rather than giving authority to each user individually." />
<meta name="description" content="This topic describes the purpose of group profiles and how to design them. Use group profiles to define authorities for a group of users, rather than giving authority to each user individually." />
<meta name="DC.Relation" scheme="URI" content="rzamvplanusergrp.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvgroupprof.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="plangrpprof" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Plan group profiles</title>
</head>
<body id="plangrpprof"><a name="plangrpprof"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Plan group profiles</h1>
<div><p>This topic describes the purpose of group profiles and how to design
them. Use group profiles to define authorities for a group of users, rather
than giving authority to each user individually.</p>
<p>A user can be a member of up to 16 group profiles. You can use a group
profile as a pattern for creating individual user profiles.</p>
<p>Once you identify your user groups, you are ready to plan a profile for
each group. Many of the decisions you make affect both security and customizing.
For example, when you specify an initial menu, you might be restricting a
user to only that menu. But you are also ensuring that the user sees the correct
menu after signing on.</p>
<div class="p">A group profile is a special type of user profile. It serves two purposes
on the system: <dl><dt class="dlterm">Security tool</dt>
<dd>A group profile provides a method for organizing authorities on your system
and sharing them among users. You can define object authorities or special
authorities for group profiles rather than for each individual user profile.
A user may be a member of up to 16 group profiles.</dd>
<dt class="dlterm">Customizing tool</dt>
<dd>A group profile can be used as a pattern for creating individual user
profiles. Most people who are part of the same group have the same customizing
needs, such as the initial menu and the default printer. You can define these
things in the group profile and then copy the group profile to create individual
user profiles.</dd>
</dl>
 </div>
<div class="p">A group profile is a useful tool when several users have similar security
requirements. They are particularly useful when job requirements and group
membership change. For example, if members of a department have responsibility
for an application, a group profile can be set up for the department. As users
join or leave the department, the group profile field in their user profiles
can be changed. This is easier to manage than removing individual authorities
from user profiles. You can create profiles specifically to be group profiles,
or you can make an existing profile into a group profile. A group profile
is simply a special type of user profile. It becomes a group profile when
one of the following occurs: <ul><li>Another profile designates it as a group profile.</li>
<li>You assign a group identification number (<var class="varname">gid</var>) to it.</li>
</ul>
 </div>
<div class="p">For example: <ol><li>Create a profile called GRPIC: <kbd class="userinput">CRTUSRPRF GRPIC</kbd></li>
<li>When the profile is created, it is an ordinary profile, not a group profile.</li>
<li>Designate GRPIC as the group profile for another group profile: <kbd class="userinput">CHGUSRPRF
USERA GRPPRF(GRPIC)</kbd></li>
<li>The system now treats GRPIC as a group profile and assigns a <var class="varname">gid</var> to
it.</li>
</ol>
</div>
<div class="section"><h4 class="sectiontitle">Create a group profile plan</h4><p>You create group profiles
in the same way that you create individual profiles. The system recognizes
a group profile when you add the first member to it. At that point, the system
sets information in the profile indicating that it is a group profile. The
system also generates a group identification number (<var class="varname">gid</var>)
for the profile. You can also designate a profile as a group profile at the
time that you create it by specifying a value in the GID parameter.</p>
<div class="p">Perform
the following steps to plan group profiles: <ol><li>Prepare a <a href="rzamvusergrpdescworksheet.htm#usergrpdescworksheet">user
group description worksheet</a> for each identified group.</li>
<li>Name groups consistently.</li>
<li>Use the <a href="rzamvnamingworksheet.htm#namingworksheet">naming
conventions worksheet</a> to document your group naming conventions.</li>
<li>Determine the application and library needs of each user group. Use the <a href="rzamvappdescworksheet.htm#appdescworksheet">application descriptions</a> and <a href="rzamvlibdescworksheet.htm#libdescworksheet">library description worksheets</a>. </li>
<li>Define the job description for user groups.</li>
</ol>
</div>
<p><span class="uicontrol">Planning Primary Groups for Objects</span></p>
<p>Any
object on the system can have a primary group. Primary group authority can
provide a performance advantage if the primary group is the first group for
most users of an object. Often, one group of users is responsible for some
information on the system, such as customer information. That group needs
more authority to the information than other system users. By using primary
group authority, you can set up this type of authority scheme without affecting
the performance of authority checking.</p>
<p><span class="uicontrol">Planning Multiple
Group Profiles</span></p>
<p>A user can be a member of up to 16 groups:
the first group (GRPPRF parameter in the user profile) and 15 supplemental
groups (SUPGRPPRF parameter in the user profile). By using group profiles,
you can manage authority more efficiently and reduce the number of individual
private authorities for objects. However, the misuse of group profiles can
have a negative impact on the performance of authority checking.</p>
<div class="p">Follow
these suggestions when using multiple group profiles: <ul><li>Try to use multiple groups in combination with primary group authority
and eliminate private authority to objects.</li>
<li>Carefully plan the sequence in which group profiles are assigned to a
user. The user’s first group should relate to the user’s primary assignment
and the objects used most often. For example, assume a user called WAGNERB
does inventory work regularly and does order entry work occasionally. The
profile needed for inventory authority (DPTIC) should be WAGNERB’s first group.
The profile needed for order entry work (DPTOE) should be WAGNERB’s first
supplemental group. The sequence in which private authorities are specified
for an object has no effect on authority checking performance.</li>
<li>If you plan to use multiple groups, be sure you understand how using multiple
groups in combination with other authority techniques, such as authorization
lists, may affect your system performance.</li>
</ul>
 </div>
</div>
<div class="section"><h4 class="sectiontitle">Prepare a user description worksheet</h4><p>In
this example, the <a href="rzamvusergrpdescworksheet.htm#usergrpdescworksheet">User group description worksheet</a> includes
the group profile name, the applications and libraries that the group uses.</p>

<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Example: User Group Description Worksheet</caption><thead align="left"><tr><th colspan="2" valign="top" id="d0e131">User Group Description Worksheet</th>
</tr>
</thead>
<tbody><tr><td colspan="2" valign="top" headers="d0e131 ">Group profile name: <kbd class="userinput">DPTWH</kbd><p>Description
of the group: <kbd class="userinput">Warehouse department</kbd></p>
</td>
</tr>
<tr><td colspan="2" valign="top" headers="d0e131 ">Primary application for the group: <kbd class="userinput">Inventory
control</kbd><p>List other applications needed by the group: <kbd class="userinput">None</kbd></p>
</td>
</tr>
<tr><td colspan="2" valign="top" headers="d0e131 ">List each library that the group needs.
Place an <kbd class="userinput">X</kbd> in front of each library that should be
in the initial library list for each group. <ul><li><strong><kbd class="userinput">X</kbd></strong> <kbd class="userinput">ITEMLIB</kbd></li>
<li><strong><kbd class="userinput">X</kbd></strong> <kbd class="userinput">ICPGMLIB</kbd></li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section"><h4 class="sectiontitle">Name group profiles</h4><div class="p">Because a group profile acts
as a special type of user profile, you may want to identify group profiles
on lists and displays. You need to assign them special names. To appear together
on lists, your group profiles should begin with the same characters, such
as GRP (for group) or DPT (for department). Use these guidelines when naming
user groups: <ul><li>User group names can be up to 10 characters long.</li>
<li>The name may include letters, numbers, and the special characters: pound
(#), dollar ($), underline (_), and the at sign (@).</li>
<li>The name cannot begin with a number.</li>
</ul>
 </div>
<div class="note"><span class="notetitle">Note:</span> For each group profile, the system assigns a group identification
number (<var class="varname">gid</var>). Normally, you can let the system generate
a <var class="varname">gid</var>. If you use your system in a network, you may need
to assign specific <var class="varname">gid</var>s to group profiles. Check with your
network administrator to verify whether you need to assign IDs.</div>
</div>
<div class="section"><h4 class="sectiontitle">Determine the application and libraries a user group needs</h4><p>If
you have not already done so, add your user groups to the application diagram
and libraries you drew earlier. This visual image will help you decide the
resource and application needs of each group.</p>
<p>On Part 1 of
the <a href="rzamvusergrpdescworksheet.htm#usergrpdescworksheet">User group description worksheet</a>,
indicate the group’s primary application, which is the application they use
most often. List the other applications the group needs.</p>
<div class="p">Look at your <a href="rzamvappdescworksheet.htm#appdescworksheet">application description
worksheet</a> to see the libraries each group needs. Check
with your programmer or application provider to find out the best method for
providing access to these libraries. Most applications use one of these techniques: <ul><li>The application includes the libraries on a user’s initial library list.</li>
<li>The application runs a setup program which places the libraries in the
user’s library list.</li>
<li>Libraries do not need to be in the library list. The application programs
always specify the library.</li>
</ul>
 </div>
<div class="p">The system uses a library list to find the files and programs
you need when you run applications. The library list is a list of libraries
the system searches for objects needed by the user. It has two parts: <ol><li>System portion: Specified in the QSYSLIBL system value, the system portion
is used for i5/OS™ libraries.
The default for this system value does not need to be changed.</li>
<li>User portion: The QUSRLIBL system value provides the user portion of the
library list. The user’s job description specifies the initial library list,
or commands after the user is signed on. If you have an initial library list,
it overrides the QUSRLIBL system value. Application libraries should be included
in the user portion of the library list.</li>
</ol>
 </div>
</div>
<div class="section"><h4 class="sectiontitle">Define the job description</h4><p>When
a user signs on the system, the user’s job description defines many characteristics
of the job, including how the job prints, how batch jobs are run, and the
initial library list. Your system comes with a job description, called QDFTJOBD,
which you can use when creating group profiles. However, QDFTJOBD specifies
the QUSRLIBL system value as the initial library list. If you want different
groups of users to have access to different libraries when signing on, you
should create unique job descriptions for each group.</p>
<p>List each library
needed by the group on the User Group Description Form. If the library should
be included on the initial library list in the group’s job description, mark
each library name on the form.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplanusergrp.htm" title="This topic describes what to do to prepare for planning user groups.">Plan user groups</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzamvgroupprof.htm" title="Group profiles define authority for a group of users.">Group profiles</a></div>
</div>
</div>
</body>
</html>