Kisco Systems

IBM i Security Tips

Home : Blog : Limiting When A User Profile Can Be Used

Limiting When A User Profile Can Be Used

By Rich Loeber

Each user profile on your system is a window, of sorts, into the computing environment for your business. Some profiles have a very narrow and limited view while others have a panoramic scene before them. Some profiles can only look while others are allowed to look, pick things up, move them around, make changes and even throw them away. Some only have access to a single library while others, perhaps even you, have the keys to the Kingdom.

As a security officer, you've probably given this a lot of thought already and you already have your profiles set up with the exact permissions necessary. Users are allowed enough access to fulfill their job descriptions but not so much that they can wreak havoc for your organization either accidentally or intentionally. And, to a large extent, your trust of the person behind the profile plays a large roll in how much access you give them to your system.

Problems come up, however, when a profile is compromised and is used by someone other than the assigned person. When this happens to a profile that has the panoramic view of your system, real trouble can ensue.

The IBM i OS on your IBM i system has a nice little feature that can give you improved control in the event of a compromised profile. This feature, the Activation Schedule, lets you specifically tell the system what days and what hours in the day that a profile can be used. If a user profile is compromised, the chances are very good that the incorrect use will be attempted during off hours. If the profile in question has been posted to the system Activation Schedule, the profile will not be available for use during the off-hours time frame. This extends not only to terminal session signon but to all server activity, such as FTP, the system file server, etc.

There are two commands that you use to maintain the system Activation Schedule. The "Change activation schedule entry" command (CHGACTSCDE) is the main command for maintaining the schedule. This lets you add a user profile to the list or change a profile that is already on the list. Once a profile is on the list, a message will be sent to the user profile that established the entry each time the profile is activated and deactivated. When you create the entry, you specify the time of day when you want the profile available for use. The system will activate the profile at the given time and then automatically deactivate it at the closing time that you enter. You can specify this time for all days of the week or for given days of the week.

The other command that can help you with this is the "Display activation schedule" command (DSPACTSCD). This command lets you review how your Activation Schedule is set up. You can look at it interactively or create a report of the schedule.

When you first set this up, nothing will happen right away, so be prepared for that. The system will post jobs into the IBM i system job scheduler to do the actual activation and deactivation. The next time one of the time of day thresholds is passed, the activity to activate and/or deactivate users will start and you will begin to receive status messages from the system.

Using this feature of the IBM i OS, you can close the window of opportunity when a compromised profile can be used and make it more difficult for mischief makers to do their thing on your system. One thing to keep in mind, if you adopt this process, is that you may need to make special arrangements when your users work a different schedule than normal, such as overtime work. During these times, you may have to update the Activation Schedule to accommodate different work hours.

If you have any questions about anything in this tip, just ask me and I'll give you my best shot. My email address is rich at kisco.com. All email will be answered.