More Control over User Profiles

By Rich Loeber

No matter how good your office procedures are for setting up, enabling, disabling and removing users from your system, there is always room for error.  There is nothing like a quick check of your user profile base to help keep your user profiles in good order.  The user profile is a key that lets people into your system and keeping the keys in order is, or should be, a primary obligation of your security controls.

For many of us who have been doing this for a while, the quick review takes the form of a session with the WRKUSRPRF command using the *ALL option.  But, this is a tedious process at best and you can easily miss something important this way.  The ideal would be to get the user profile information organized into various views to focus in on the myriad aspects of security that exist in today’s IBM i world.

Fortunately, IBM’s i/OS contains a facility to help you with this.  The command “Print User Profile” (PRTUSRPRF) has the ability to generate up to four different format reports that will organize your user profile information base to give you a good overview.  The report information for the four different reports concentrate on:

  • Authority type information
  • Environment type information
  • Password type information
  • Password level type information (V5R1 and higher only)

The command has up to four parameters to control the information presented on the listings.  Some of these parameters are context sensitive and will not always be prompted depending on other values you enter.  In addition to indicating which of the four report formats you want, you can also narrow your selection of the specific user profiles to be included, thereby letting you analyze like profiles together.  These selection options let you limit the reports to only users with specific special authority settings and users for specific user classes.  You will probably want to start by specifying all users, but if you’re in a very large shop, this may produce too much information for you to be able to focus in on.

The four reports, however, are the key to using this tool effectively.  The report on authority type information shows each selected profile along with a reference to any group profile or supplemental groups that the profile belongs to.  Then, the special authorities in effect for the user are shown along with their user class, the user profile object ownership setting and other object ownership related information.  A quick scan of this report can quickly show you users that are categorized in an incorrect group, users who are in a group that gives them more access rights than you really intend and many other options.

The report on environment type information presents a different report format.  This report focuses in on the job execution environment in place for each user profile.  These things include the current library, initial menu/library, default job description and other settings that control how jobs run by each user profile will be setup by your system.  This report lets you do a quick audit of user profiles to make sure that they are set up for just the work they should be doing and no more.

The third report produces password type information.  This report lists the current enabled/disabled status of each profile, the current number of invalid signon attempts, the last signon, when their password was last changed and more information that will help with administration of password controls.  In preparing this article, I discovered some unusual values on this report that seemed to indicate someone attempting to gain access to our test system via Telnet using the QSRV and QSYSOPR user profiles.  Both profiles were disabled and the not-valid signon attempts were at the maximum.  Since nobody uses these profiles in our shop, I can only conclude that an illegal signon attempt was made for both of these.  Fortunately, it appears that these attempts failed since we do not have the default passwords still active for any of the IBM supplied ‘Q’ user profiles.  Using this report, you can perform a very quick scan of the setup for each user and quickly spot anomalies, like I did.

The fourth report prints a report on password level type information.  Under the more recent versions of i/OS, you can optionally use longer passwords (up to 128 bytes long) and you can specify a controlled switch over from one setup to another.  This fourth report supplies you with information on how this extended password level is configured for each user on your system.  You can see additional information about this on the system value QPWDLVL and by using the DSPSECA command on these systems.

These four reports, and their various mutations when you use the filtering options, will give you a good tool in keeping current on the status of the user profile pool on your system.  A monthly review of the first three reports would be in order and you can simplify this by just loading these commands into your system job scheduler to automatically run on a monthly basis.

Comments are closed.