Getting Control over User Profiles

By Rich Loeber

Every IBM i shop has the potential to have active user profiles on the system for users who have left the company.  Unless your personnel department is extra careful about global notifications when people leave, then you may have a security exposure that you don’t even know about.

You can, if you’re careful about setting up user profiles, take care of this problem when new profiles are created.  The “Password expiration interval” (PWDEXPITV) parameter on the Create User Profile (CRTUSRPRF) command lets you set up a separate expiration day interval for each user.  On a system-wide basis, you can also enforce a default expiration interval with the system value QPWDEXPITV.  Using the system value, you just have to use the default *SYSVAL setting for the PWDEXPITV parameter for each user profile.  I suspect that a lot of shops use this arrangement.

However, in every shop, there are users who have passwords that are set to never expire.  This is not recommended, but may make sense for some people who can closely guard their password and use the system heavily.  (I know many programmers and system operators who enjoy this luxury.)  For these people, simply relying on the password expiration interval won’t work, leaving you an even more serious exposure since the type of people who want permanent passwords also tend to have broad access to your system.

The good news is that IBM’s i/OS contains a way for you to enforce periodic expiration on user profiles that have not been used for a specified period of time.  There are several i/OS commands that will help you to enforce a policy of automatically forcing unused profiles to inactive status by disabling them.

The “Analyze Profile Activity” (ANZPRFACT) command will let you set up and control the number of days that the system should use to check for unused profiles.  Then, after this has been set, the system will scan the active profiles on your system once per day and disable those that have not been used for the specific period of time.  Before you start to use this, however, be sure to read on.  (Note, you can disable this check by running this command again and changing the setting to *NOMAX.)

The “Display Active Profile List” (DSPACTPRFL) command will let you display a list of specific profiles that the ANZPRFACT command will ignore when it is checking for unused profile activity.  These might be certain profiles that own object code on your system but are not actually used for signon purposes.  Some applications may require that these owner profiles remain active on your system.  This may be particularly true of third party software.

The “Change Active Profile List” (CHGACTPRFL) command lets you modify this list of profiles on your system.  You can use this command to add or remove entries from the list.  It is important to note that most Q profiles (IBM profiles) are automatically excluded from ANZPRFACT processing.  If you prompt the ANZPRFACT  command and use the HELP facility, you can access a quick list of the Q profiles that are excluded.

It is important for you to check the list (DSPACTPRFL) and update the list (CHGACTPRFL) before any regularly scheduled analysis processing takes place.  This will make sure that you don’t shoot yourself in the foot by disabling a user profile that needs to remain active.  If you use third party software on your system, check with each developer to find out if their ownership profile needs to remain enabled on your system.  Some third party software won’t care of the profile is disabled, but it is important to get the developer’s blessing before taking this step.  If you do have an owner profile that needs to remain enabled, you can always prevent user logon attempts by changing the password to *NONE.

Comments are closed.