With today's heavy emphasis on SOX and PCI compliance, one area at the forefront of the battle is managing user profiles. Here are some great i5/OS commands that can help you manage these profiles effectively.
With the CHGACTSCDE (Change Profile Activation Schedule Entry) command, you can enable a user profile and disable it at a particular time on specific days. For example, to enable the user profile BOB at 11:00 a.m. Wednesday and disable it at 5:00 p.m. the same day, you could enter the following:
CHGACTSCDE USRPRF(BOB) ENBTIME('11:00') DSBTIME('17:00')
DAYS(*WED)
However, if forget that you have set this activation schedule entry, the profile will still be enabled each Wednesday at the specified time, so you need to remember to manually remove the entry after each usage.
To remove a user profile from the activation schedule, run this command:
CHGACTSCDE USRPRF(BOB) ENBTIME(*NONE) DSBTIME(*NONE)
DAYS(*WED)
You should note that even if you disable a user profile, any job using that profile that's either currently active or on a job queue won't be affected (i.e., disabling the profile won't kill current jobs).
Remember that user from the accounting department that quit two years ago because he wanted to go fishing? Well, his user profile is still enabled for use. I suggest this is a bad thing. Dormant user profiles that haven't been used for a while should be deleted or, at the very least, disabled. Disabling a user profile prevents the profile from being used for logging in to the system.
The ANZPRFACT (Analyze Profile Activity) command exists for just this purpose. Enter the command on a command line and specify a number of days from 1 to 366, then press Enter. You've just added an entry to the i/OS job schedule that will run every day at 1:00 a.m. and disable all user profiles that have been inactive for at least the number of days you specified. But wait! Before you run the ANZPRFACT command, you probably want to run another command first, CHGACT PRFL (Change Active Profile List), which lets you specify user profiles that are exempted from being disabled by the ANZPRFACT command. (Note: Many IBM-supplied "Q" user profiles are already exempted, so you don't need to make an exception for them. Press F1(Help) on the ANZPRFACT command prompt to see a list of the user profiles specifically excluded by the command.) CHGACTPRFL takes the form
CHGACTPRFL USRPRF(ME YOU MYUSERID) ACTION(*ADD)
To remove user profiles from the exemption list, specify *REMOVE instead of *ADD. To display the active profile list, you can use the command DSPACTPRFL (Display Active Profiles). One other issue to note is that some user profiles that are used for communications-type work may not be counted as signing on when they actually sign on. You can check them individually using the DSPUSRPRF command to see their last sign-on date. Check these, and if they do not show recent sign-on activity, make sure to add these service type profiles to the active profile list.
Now that you've set the active profile list (those profiles that will never be disabled by the ANZPRFACT command), we can get back to the ANZPRFACT command itself. You can specify the command as follows:
ANZPRFACT INACDAYS(90)
Here, we specify that any profile that's been inactive for at least 90 days should be disabled. This assumes that the profile is not specified on the active profile list. The INACDAYS (Inactive Days) parameter can be specified as a number of days from 1 to 366 days. How does the command figure out when a profile was last used? If the profile object's Last-Used date doesn't contain a value (i.e., it has never signed on), i/OS checks the object restore date instead. If that doesn't contain a restore date (i.e., it's never been restored), i/OS uses the profile's object creation date for the calculation instead. Again, some communication-type profiles may not show recent log-on activity, even if they are used every day. Add them to the active profile list. The command doesn't disable profiles immediately when you enter it. Instead, ANZPRFACT runs an ADDJOBSCDE (Add Job Schedule Entry) command to add a job named QSECIDL1 to the i/OS job scheduler. The job is scheduled to run every day at 1:00 a.m. If you want to run it at a different time, change the job schedule entry using the command WRKJOBS CDE (Work with Job Schedule Entries). If you decide that you no longer want to run the scheduled job, you can remove the job schedule entry with this command:
ANZPRFACT INACDAYS(*NOMAX)
Whenever a profile is disabled using the ANZPRFACT command, the system sends a message to the message queue of the user who ran the ANZPRFACT command, indicating that the user profile has been disabled. When you receive such messages, you should determine whether you can delete the user profile from your system.
For years I looked for a command that would list group profiles and the members within that group. Happily, I finally found one. Either it has always been there and I simply missed it, or it's relatively new. I suspect the former. The command DSPAUT USR (Display Authorized Users) has a parameter SEQ that lets you specify that you want to list user profiles within a group profile.
DSPAUTUSR SEQ(*GRPPRF)
These commands are indispensable if you want to manage your user profiles effectively. Put them to use. As you devise and hone your i/OS user profile security policies, these tools should be in the top drawer of your security toolbox.
Links:
[1] http://systeminetwork.com/author/dan-riehl