A user profile plays a vital role in IBMi system management and security. Using these profiles, users can access specific resources and ensure data integrity. The IBMi environment provides a method for managing and organizing user access rights through profile handles, which are an essential part of user profiles. Let us take a dive into the world of profile handles, learn how to create, and use them, and discover why they are so critical for IBMi security.
Understanding Profile Handles
In IBMi, a profile handle is an identifier that generates and identifies each user profile. It serves as an abstraction layer between the user and their underlying profiles. Instead of interacting directly with user profiles, users and applications interact with profile handles, which map to user profiles. The abstraction enables the management of users to be more secure and flexible.
Application Case Study
Let us discuss a use case scenario to illustrate why this software is useful.
The production environment does not grant system users access to add, update, or delete records to the database, and records can only be added or modified by the user profile that has the authority to do so (varies from client to client). It will be necessary to create a program to generate and set the profile handles for the user profile that has the necessary authority, allowing the user to log details of manual database changes, and then release the profile handles after the changes are complete.
To accomplish the objective, three APIs must be invoked. They are as follows:
- QSYGETPH(): To get a profile handle.
- QWTSETP(): Set profile based on the token generated by QSYGETPH.
- QSYRLSPH(): Release profile handle.
In this use case scenario, we have created a DDL table with columns including a column to store encrypted passwords for the production profile.
The SQL statement used to create the table is shown below snippet-
This can be created from the source member by using the RUNSQLSTM command.
Data can be inserted into the table for cross-referencing as shown below snippet –
**Note: The encrypted password storing column needs to be defined with FOR BIT DATA so that the decrypt_bit scalar function can extract back the data’s decrypted form. The CCSID for the job needs to be thirty-seven for the decrypt scalar function to work.
To proceed with database modifications, we need to create an SQLRPGLE program that retrieves the production user profile with appropriate authority and its password from an encrypted form.
The CL program must be invoked as soon as the data has been fetched.
The CL program contains six parts:
- Generate a profile handle for the current user in an active session.
- Generate a profile handle for the production profile.
- Set profile for the production profile
- Call/invoke your custom program where you can log details of auditing for DB update
- Set the profile back to the current use.
- Release profile handles.
The profile handle generations can be taken care of by invoking the QSYGETPH() API.
Setting up profiles for custom tasks can be done by invoking the QWTSETP() API.
Releasing the generated tokens for profile handles can be done by invoking the QSYRLSPH() API.
You can find attached the sample code to refer to which has been created for demonstration purposes.
Token generation, profile setting, and token release are dealt with by SETPHPRD in the CL program.
The SQLRPGLE program SETPHPRDR gathers the required data for invoking CL.
In conclusion, profile handles on IBMi are an indispensable tool for administrators seeking to enhance their system’s security posture, streamline user management, and maintain operational efficiency. By harnessing the power of these templates, you are not only simplifying your day-to-day tasks but also fortifying the defenses of your IBMi environment against potential threats. So, whether you are a seasoned IBMi administrator or just starting your journey, profile handles are your trusted companions on the road to efficient and secure user profile management.