Watch Your User Profiles

By Rich Loeber

Once you've set up a user profile on your IBM i systems, are you tracking changes to it over it's lifetime?

The user profile is your first line of defense in the ongoing battle of protecting your system. When a new employee shows up for work, you go to great lengths to get their profile set up just right. You make sure that they get access to the menus and files they need to get their work done and you set up their object access accordingly. If you've been at this a while, you probably already have a mental checklist of all the things that you need to do for a new user in each department or work group in your shop.

But, what about subsequent changes to those profiles. Are you watching these updates to make sure that your carefully engineered security scheme is being maintained over the life of each user profile?

In the IBM i OS, there are a couple of ways that you can monitor for this.

First, you can use the system security audit journal as an after-the-fact review process for user profile changes and updates. To run this report, use the Display Audit Journal Entries (DSPAUDJRNE) command. Prompt the command using the F4 key and select the entry type code CP (Change user profile entries). The resulting report will show you at least some of the user profile change activity for the selected period of time on your system.

If you want more immediate information about user profile changes, then the only alternative is for you to code an exit program. There are four possible exit points that you can use on the system to track user profile activity:

QIBM_QSY_CRT_PROFILE - Create User Profile

QIBM_QSY_CHG_PROFILE - Change User Profile

QIBM_QSY_DLT_PROFILE - Delete User Profile (2 points, one before the other after)

QIBM_QSY_RST_PROFILE - Restore User Profile

An exit point is a marker in the IBM i OS where you can attach your own program. The OS will call your program, passing parameters, during the process of working with these user profile events. You can code your program do meet your very specific needs. This can include on-line notification, detailed change tracking, rules enforcement and more. You can even pass a return code back to the exit point indicating that the profile change should be disallowed.

Your will find more details about creating exit programs to work with these user profile exit points in the IBM i Security Reference manual. Registering your program can be done using the Work With Registration Information (WRKREGINF) command. You will see many exit points displayed, be sure to limit your changes to the specific exits named above.

If you don't want to code your own solution, there is an audit reporting feature built into Kisco's iEventMonitor software that can be used for near real time reporting of profile change events. It is available for a free trial if you'd like to find out if would be helpful in your situation.

If you have any questions about this topic, you can reach me at rich at kisco.com. I'll give it my best shot. All email messages will be answered.