Kisco Systems

IBM i Security Tips

Home : Blog : Tracking User Profile Changes

Tracking User Profile Changes

By Rich Loeber

In response to a recent tip, I heard from a reader who suggested a good technique that they use for managing a large base of user profiles on their system. They submitted this suggestion and I've been playing with it and it really does give you the basis for managing your user profile base quite nicely.

What this security officer does is to periodically create a database file of the basic information set up for the entire user profile base. They then compare this to a version of the database to one created a couple of weeks earlier. Through a series of Query reports, they are able to list activity in the user profile base that gives them exception reports to review.

To get started, with this approach, you need to create your baseline or historical database. This is done using the Display User Profile (DSPUSRPRF) command. Select all profiles for basic information and specify an *OUTFILE. Then sit back and wait a few days, or as my reader suggested, two weeks. You may want to wait longer depending on how much time you have and how large your user profile base is.

Then, after the selected time period, run the Display User Profile (DSPUSRPRF) command again, but specify the output to a different *OUTFILE database. Once you have these two files, you can then run a series of Query reports that compare the two files.

My reader recommends at least four reports, but when you get the hang of this, additional reports may be helpful. The four reports that they work with are:

New User Profiles Added

Old User Profiles Deleted

User Profiles with no Sign-on Activity

User Profiles with changes to their Special Authorities

Using IBM i Query, this is really quite easy. You can match the two files on the user profile field and select different key match criteria depending on the exact report that you are going to create. In some cases, you'll want records on one file but not on the other and vice versa. In other cases, you will want to look at profiles that are on both files but have field mismatches.

Then, when you're all done with your reporting, copy the current user profile database over into your historical user profile database and wait another couple of weeks to repeat the process.

These exception reports will show you significant change areas in your user profile base. You can verify that new profiles added are valid and the same for deleted profiles. For profiles with no sign-on activity, you can check to see if the users are just on vacation or are actually gone from the company. For users whose special authorities have changed, you can verify that the changes were warranted.

Other reports you might want to consider are users with group profile changes, users with expired passwords and much more, limited only by your imagination.

If you're interested, I've created the four query reports and a CL program that ties this all together. If you'd like a copy of these in a save file so you can load them directly onto your system, just ask. If you have any questions about this topic you can reach me at rich at, I'll try to answer any questions you may have. All email messages will be answered.