Plan group profiles

This topic describes the purpose of group profiles and how to design them. Use group profiles to define authorities for a group of users, rather than giving authority to each user individually.

A user can be a member of up to 16 group profiles. You can use a group profile as a pattern for creating individual user profiles.

Once you identify your user groups, you are ready to plan a profile for each group. Many of the decisions you make affect both security and customizing. For example, when you specify an initial menu, you might be restricting a user to only that menu. But you are also ensuring that the user sees the correct menu after signing on.

A group profile is a special type of user profile. It serves two purposes on the system:

Security tool: A group profile provides a method for organizing authorities on your system and sharing them among users. You can define object authorities or special authorities for group profiles rather than for each individual user profile. A user may be a member of up to 16 group profiles.
Customizing tool: A group profile can be used as a pattern for creating individual user profiles. Most people who are part of the same group have the same customizing needs, such as the initial menu and the default printer. You can define these things in the group profile and then copy the group profile to create individual user profiles.

A group profile is a useful tool when several users have similar security requirements. They are particularly useful when job requirements and group membership change. For example, if members of a department have responsibility for an application, a group profile can be set up for the department. As users join or leave the department, the group profile field in their user profiles can be changed. This is easier to manage than removing individual authorities from user profiles. You can create profiles specifically to be group profiles, or you can make an existing profile into a group profile. A group profile is simply a special type of user profile. It becomes a group profile when one of the following occurs:

Another profile designates it as a group profile.
You assign a group identification number (gid) to it.

For example:

Create a profile called GRPIC: CRTUSRPRF GRPIC
When the profile is created, it is an ordinary profile, not a group profile.
Designate GRPIC as the group profile for another group profile: CHGUSRPRF USERA GRPPRF(GRPIC)
The system now treats GRPIC as a group profile and assigns a gid to it.

Create a group profile plan

You create group profiles in the same way that you create individual profiles. The system recognizes a group profile when you add the first member to it. At that point, the system sets information in the profile indicating that it is a group profile. The system also generates a group identification number (gid) for the profile. You can also designate a profile as a group profile at the time that you create it by specifying a value in the GID parameter.

Perform the following steps to plan group profiles:

Prepare a user group description worksheet for each identified group.
Name groups consistently.
Use the naming conventions worksheet to document your group naming conventions.
Determine the application and library needs of each user group. Use the application descriptions and library description worksheets.
Define the job description for user groups.

Planning Primary Groups for Objects

Any object on the system can have a primary group. Primary group authority can provide a performance advantage if the primary group is the first group for most users of an object. Often, one group of users is responsible for some information on the system, such as customer information. That group needs more authority to the information than other system users. By using primary group authority, you can set up this type of authority scheme without affecting the performance of authority checking.

Planning Multiple Group Profiles

A user can be a member of up to 16 groups: the first group (GRPPRF parameter in the user profile) and 15 supplemental groups (SUPGRPPRF parameter in the user profile). By using group profiles, you can manage authority more efficiently and reduce the number of individual private authorities for objects. However, the misuse of group profiles can have a negative impact on the performance of authority checking.

Follow these suggestions when using multiple group profiles:

Try to use multiple groups in combination with primary group authority and eliminate private authority to objects.
Carefully plan the sequence in which group profiles are assigned to a user. The user’s first group should relate to the user’s primary assignment and the objects used most often. For example, assume a user called WAGNERB does inventory work regularly and does order entry work occasionally. The profile needed for inventory authority (DPTIC) should be WAGNERB’s first group. The profile needed for order entry work (DPTOE) should be WAGNERB’s first supplemental group. The sequence in which private authorities are specified for an object has no effect on authority checking performance.
If you plan to use multiple groups, be sure you understand how using multiple groups in combination with other authority techniques, such as authorization lists, may affect your system performance.

Prepare a user description worksheet

In this example, the User group description worksheet includes the group profile name, the applications and libraries that the group uses.

Table 1. Example: User Group Description Worksheet
User Group Description Worksheet
Group profile name: `DPTWH` Description of the group: `Warehouse department`
Primary application for the group: `Inventory control` List other applications needed by the group: `None`
List each library that the group needs. Place an `X` in front of each library that should be in the initial library list for each group. `X` `ITEMLIB` `X` `ICPGMLIB`

Name group profiles

Because a group profile acts as a special type of user profile, you may want to identify group profiles on lists and displays. You need to assign them special names. To appear together on lists, your group profiles should begin with the same characters, such as GRP (for group) or DPT (for department). Use these guidelines when naming user groups:

User group names can be up to 10 characters long.
The name may include letters, numbers, and the special characters: pound (#), dollar ($), underline (_), and the at sign (@).
The name cannot begin with a number.

Note: For each group profile, the system assigns a group identification number (gid). Normally, you can let the system generate a gid. If you use your system in a network, you may need to assign specific gids to group profiles. Check with your network administrator to verify whether you need to assign IDs.

Determine the application and libraries a user group needs

If you have not already done so, add your user groups to the application diagram and libraries you drew earlier. This visual image will help you decide the resource and application needs of each group.

On Part 1 of the User group description worksheet, indicate the group’s primary application, which is the application they use most often. List the other applications the group needs.

Look at your application description worksheet to see the libraries each group needs. Check with your programmer or application provider to find out the best method for providing access to these libraries. Most applications use one of these techniques:

The application includes the libraries on a user’s initial library list.
The application runs a setup program which places the libraries in the user’s library list.
Libraries do not need to be in the library list. The application programs always specify the library.

The system uses a library list to find the files and programs you need when you run applications. The library list is a list of libraries the system searches for objects needed by the user. It has two parts:

System portion: Specified in the QSYSLIBL system value, the system portion is used for i5/OS™ libraries. The default for this system value does not need to be changed.
User portion: The QUSRLIBL system value provides the user portion of the library list. The user’s job description specifies the initial library list, or commands after the user is signed on. If you have an initial library list, it overrides the QUSRLIBL system value. Application libraries should be included in the user portion of the library list.

Define the job description

When a user signs on the system, the user’s job description defines many characteristics of the job, including how the job prints, how batch jobs are run, and the initial library list. Your system comes with a job description, called QDFTJOBD, which you can use when creating group profiles. However, QDFTJOBD specifies the QUSRLIBL system value as the initial library list. If you want different groups of users to have access to different libraries when signing on, you should create unique job descriptions for each group.

List each library needed by the group on the User Group Description Form. If the library should be included on the initial library list in the group’s job description, mark each library name on the form.