User profiles

User profiles define the authorizations available to individual users. The following types of user profiles are available:

• Individual—the profile used for an individual user
• *—the profile used if a user does not have a specific profile
• DDTOPER—the profile used for commands issued from the operator console

About user profiles

This section describes the types of profile entries that you can assign to a user and the different levels of profiles.

Types of profile entries

A user profile can contain the following types of entries, as shown in User profile contents:

• Security profile
  Security profiles determine the functions that can be performed. A security profile entry defines the default, basic security given to a user. OPERTUNE uses the authorizations in the specified security profile to determine access for the user. For more information about security profiles, see Security-profiles.
• System profile
  System profiles determine the OPERTUNEs that can be accessed. A system profile entry limits a user’s access to the specified systems. When you specify a system, you can also associate a security profile to the system. In this way, you can limit a user to specific systems and to specific functions for those systems. You can specify one system profile entry to limit the user’s access to that one OPERTUNE system. If you want a user to have access to additional systems, you must include an entry for each system. For more information about system profiles, see System-profiles.
• Subsystem
  A subsystem entry limits a user’s access to the specified Db2 subsystem. When you specify a subsystem, you can also associate a security profile to the subsystem. In this way, you can limit a user to specific subsystems and to specific functions for those subsystems. If you specify one subsystem entry within a specific OPERTUNE system the user can access only that subsystem. If you want a user to have access to additional subsystems, you must include an entry for each subsystem.

User profile contents

Profile names

Profile names can be for a specific user or they can use the * wildcard character to allow access to a group of users.

For example, a profile named ISJOHN would be used only for the user ID JOHN. A profile of IS* would be used for all user IDs that start with IS, such as ISJOHN, ISMARY, ISJOE, and ISJANE.

Special user profiles

OPERTUNE recognizes the following special user profiles:

• *
  If a user accesses OPERTUNE, but does not have a specific user profile, OPERTUNE uses the entries in the * user profile to grant authorization to that user. If you delete the * profile, then only users with a defined user profile can access OPERTUNE.
• DDTOPER
  The DDTOPER user profile specifies the security for commands issued from the operator console. If DDTOPER does not exist, OPERTUNE uses the * user profile. If neither DDTOPER nor * exists, only the MAINT command can be issued from the operator console.

Special user profiles

OPERTUNE recognizes the following special user profiles:

• *
  If a user accesses OPERTUNE, but does not have a specific user profile, OPERTUNE uses the entries in the * user profile to grant authorization to that user. If you delete the * profile, then only users with a defined user profile can access OPERTUNE.
• DDTOPER
  The DDTOPER user profile specifies the security for commands issued from the operator console. If DDTOPER does not exist, OPERTUNE uses the * user profile. If neither DDTOPER nor * exists, only the MAINT command can be issued from the operator console.

Rules for determining authorizations

OPERTUNE uses rules for user profiles, OPERTUNE system and Db2 subsystems, and functions to determine authorizations for the user profile.

User profiles

The following rules (in the indicated order) determine which user profile to use:

1. OPERTUNE searches for a user profile that exactly matches the user ID, if one is found, it is used.
2. If an exact match is not found, any user profiles using the wildcard character are searched. If a match is found, it is used. For example, user profiles named IS*, ISJO*, and ISJ* are defined. The user ID is ISJOAN. The user profile ISJO* is used because it matches the most letters before encountering the wildcard character.
3. If no matching user profile is found, the * user profile is used.
4. If no * user profile exists, the user cannot access OPERTUNE.

OPERTUNE systems and Db2 subsystems

The following rules determine access to systems and subsystems:

1.  If the user profile does not contain system profiles, all systems are accessible.
2.  If the user profile contains system profile entries, only those systems are accessible.
3. If a system profile does not contain subsystem entries, all subsystems are accessible.
4. If a system profile contains subsystem entries, only those subsystems are accessible within the system.

Functions

The following rules determine the OPERTUNE functions that are allowed:

1. If a security profile is associated with a subsystem, system profile, or user profile, the security profile is used.
2. If a security profile is not associated with a subsystem, system profile, or user profile, the DEFAULT security profile is used.
3. If no DEFAULT security profile is defined, the user cannot use any of the OPERTUNE functions.

Example

Assume that the user JOHN has the user profile shown in Sample User Profile. The INFO security profile has information authorization only; the FULL security profile has access to all OPERTUNE features; and the PARTIAL security profile has access to some element commands.

Sample User Profile

If JOHN tries to access OPERTUNE system DDTC, access is denied because other systems are specifically defined.

If JOHN accesses DB2A under DDTA, JOHN has FULL access. If JOHN accesses DBSA under DDTA, JOHN has PARTIAL access. For all other subsystems under DDTA, JOHN does not have access.

For all subsystems under the control of DDTB, JOHN has PARTIAL access.

This section contains the following topics: