Restoring user profiles
There might be some changes that are made to a user profile when it is restored.
- If profiles are being restored individually (RSTUSRPRF USRPRF(*ALL)
is not specified), SECDTA(*PWDGRP) is not requested, and the profile
that is being restored does not exist on the system, these fields
are changed to *NONE:
- Group profile name (GRPPRF)
- Password (PASSWORD)
- Document password (DOCPWD)
- Supplemental group profiles (SUPGRPPRF)
Product passwords are changed to *NONE, so they will be incorrect after restoring an individual user profile that did not exist on the system.
- If profiles are being restored individually (RSTUSRPRF USRPRF(*ALL)
is not specified) SECDTA(*PWDGRP) is not requested, and the profile
exists on the system, the password, document password, and group profile
are not changed.
User profiles can be restored individually with the password and group information restored from the save media by specifying the SECDTA(*PWDGRP) parameter on the RSTUSRPRF command. *ALLOBJ and *SECADM special authorities are required to restore the password and group information when restoring individual profiles. Product passwords restored with the user profile will be incorrect after restoring an individual user profile that existed on the system, unless the SECDTA(*PWDGRP) parameter is specified on the RSTUSRPRF command.
- If all of the user profiles are being restored to your system,
all of the fields in any of the profiles that already exist on the
system are restored from the save media, including the password. Attention:
- User Profiles saved from a system with a different password level (QPWDLVL system value) than the system that is being restored might result in having a password that is not valid on the restored system. For example, if the saved user profile came from a system that was running password level 2, the user can have a password of "This is my password". This password will not be valid on a system running password level 0 or 1.
- Keep a record of the security officer (QSECOFR) password associated with each version of your security information that is saved. This ensures that you can sign on to your system if you need to do a complete restore operation.
You can use DST (Dedicated Service Tools) to reset the password for the QSECOFR profile.
- If a profile exists on the system, the restore operation does not change the uid or gid.
- If a profile does not exist on the system, the uid and gid for a profile are restored from the save media. If either the uid or the gid already exists on the system, the system generates a new value and issues a message (CPI3810).
- *ALLOBJ special authority is removed from user profiles that are
being restored to a system at security level 30 or higher in either
of these situations:
- The profile was saved from a different system and the user performing the RSTUSRPRF does not have *ALLOBJ and *SECADM special authorities.
- The profile was saved from a system at security level 10 or 20.
Attention: The system uses the machine serial number on the system and on the save media to determine whether objects are being restored to the same system or to a different system.*ALLOBJ special authority is not removed from these IBM-supplied profiles:- QSYS (system) user profile
- QSECOFR (security officer) user profile
- QLPAUTO (licensed program automatic install) user profile
- QLPINSTALL (licensed program install) user profile
- If a profile is restored (all profiles or individual profile) that already exists on the system, the restore operation will not change the existing user expiration fields.
- If a profile is restored (all profiles or individual
profile) that does not yet exist on the system, all fields in the
user profile are restored from the save media, including the user
expiration interval and user expiration date fields:
- If the profile is enabled and user expiration date is past, the user profile will be set to disabled and CPF2271 diagnostic message will be sent.
- If the profile is enabled and the user expiration date has not past, the job scheduler entry will be added.