Kisco Systems

IBM i Security Tips

Home : Blog : Tracking Changes to User Profiles

Tracking Changes to User Profiles

By Rich Loeber

Updated November 1, 2020

A blog reader contacted me and asked how they could track changes to user profiles. They had an audit requirement to be able to prove that when a user was dismissed, their profile was disabled or removed from the system on their IBM i server.

When I got the call, I was up to my eyeballs in work and did not give them a good response. I suggested that they code and test exit programs to attach to the system exit points for user profile maintenance. While that solution might work, eventually, it is like wielding a sledge hammer to crack open an egg.

When I had more time to think about it, the easy solution came to mind. Use the information in the system security audit journal!

When the security audit journal is active on your system (a topic for a different blog post), then whenever a user profile is created, updated or deleted, records are added to the journal to record the fact.

So, if you want to track the history for a user profile, it is entirely possible to get all of the significant changes to the profile using the audit journal. There are two specific journal audit records that you will need to consider when reporting on these events.

Audit journals are identified by a Journal Code (a one character alpha code) and by an Entry Type (a two character alpha code). For our purposes here, we are going to look at journal records for Journal Code T (Audit Trail records) and Entry Type CP (Create, change, restore user profiles). If you also want to look at profile deletes, you can look at the T-DO records for objects with object type *USRPRF. The rest of this tip shows you how to work with the T-CP records, but a similar approach can be used for the T-DO records.

To trace user profile history using the T-CP records in the system security audit journals, I simply extracted them to a database file and then ran a report on them, sorting them by user profile and time stamp.

To produce the database file, first create an empty database file on your system using a system provided shell file for the CP journal records. There are several of these available depending on the level of detail that you want, I used the shell file named QASYCPJ4. You will find this in the QSYS library. You can create your shell file using the following command:


This will create the file in your QTEMP library, but you can place it anywhere that is convenient for you.

To populate this database file with the right information from the system audit journal, it is a simple matter of using the Display Journal command (DSPJRN) selecting the right filter information. The following command should work for most systems:


Some things to note. Using the *CURCHAIN parameter will pull all information from all journal receivers for the security journal that are currently available. If you want to limit the extract to a specific period of time, there are additional filter parameters available on the DSPJRN command. The output file format of *TYPE4 will format the data correctly for the shell file that we are using. If you want more information, try a different format, but you will also have to use a different shell file.

Lastly, all you need now is to review the database file or list it. Select the fields that you want to report on; there are a lot to choose from. I'm old school and I created a query report using WRKQRY. If you want a copy of it, just let me know and I'll send it to you.

If you're interesting to knowing as soon as a user profile is changed, iEventMonitor from Kisco Information Systems will report on user profile changes in real time (and much, much more). This software is modestly priced and it might be worthwhile for you to opt for a purchased solution rather than expending programming resources to solve this in house.

If you have any questions about this topic, you can reach me at rich at, I'll give it my best shot. All email messages will be answered.