If you are using the OS400 Management Agent (MA) that is included in Host Access Management Agent (HAMA) to import user profiles from an AS/400, you may run into an issue where only a subset of the defined user profiles are imported.
This problem can occur when the AS/400 user profile (aka user account) that the OS400 MA is using to connect to the AS/400 does not have all of the necessary permissions required to perform this function.
The HAMA documentation states the following regarding required permissions for the OS400 MA:
Requirements for the IBM AS/400 account used to run the IBM OS400 MA
The user profile account on the IBM AS/400 host used by the IBM OS400 MA must have “*SECADM” privileges and all profiles must be visible to this account.
IBM OS400 MA: The user profile account used to provision to the AS/400 host must have ‘*SECADM’ authority. You may also require the ‘*ALLOBJ’ authority depending on your deployment.
While working on this issue with a customer, I did some testing with an AS/400 user profile that was setup as follows on the AS/400 for use with the OS400 MA:
User Class: *PGMR
Special Authority: *SECADM
When using a user profile with these attributes, I was only able to import a few of the user profiles that were defined on the AS/400 when running the OS400 MA import process that I had setup with Microsoft Identity Integration Server (MIIS) 2003.
The interesting thing about this is that if I logged onto a console session on the AS/400 using the same user profile, I was able to run the same command that the OS400 MA uses to import the user profiles into MIIS and all of the user profiles were returned.
The problem with the user profile permissions only occurred when the command was initiated via the OS400 MA which uses the OLE DB Provider for AS/400 and VSAM (Host File adapter) included with Host Integration Server 2006.
In order to resolve the problem such that the OS400 MA is able to import all of the user profiles defined on the AS/400, the user profile used by the OS400 MA needs to be updated so that it has the following attributes:
User Class: *PGMR
Special Authority: *SECADM *ALLOBJ
The other way to prevent this issue from occurring is to use a user profile that has a User Class of *SECADM since this level of user profile has all the necessary permissions to complete the user profile import.