|TechTip: Control User Profile Sign-On Behavior|
|Tips & Techniques - Security|
|Written by Steve Pitcher|
|Friday, 11 February 2011 01:00|
Don't waste time coding CL programs to disable and re-enable profiles. Instead, use commands that the fine folks at IBM have made just for that purpose!
We've all had user profiles we wanted under our thumbs a little tighter.
Let's say you have a couple of temporary work-term students who will be at your company for the next six months. What happens? Chances are you are verbally notified by their manager the day they arrive with the expectation of a laptop, email account, and IBM i access. Then you set them up like any other user, along with instructions on how to operate the old-school coffee machine, of course. Six months go by, and you've forgotten all about those kids who've now gone back to school. Perhaps someone in HR will let you know they're gone and give you a formal request to disable their profiles, but I think that's more the exception than the rule in most shops.
Using Expiration Schedule Entries
Instead of relying on anyone to give you a heads up to disable a profile, be proactive about it and use the CHGEXPSCDE command. This command gives you the power to set a profile to expire or even delete on a certain date. For example, enter the following command to disable user profile STUDENT55 on December 12, 2011.
CHGEXPSCDE USRPRF(STUDENT55) EXPDATE('12/12/2011) ACTION(*DISABLE)
Furthermore, the command DSPEXPSCD will display a list of profiles that are pending expiration. This is a great little feature, especially if your shop has a high rate of employee turnover.
Using Activation Schedule Entries
What if you want more granularity when handling user profiles? Let's say you have a vendor who has a little extra authority and you want to ensure they're not on the system after hours doing things without your knowledge. It happens, people! A vendor takes it upon himself to log onto a system and make a change one evening, unbeknownst to anyone of course. First thing the next morning, you get calls from users saying a screen looks different. That's not cool, and you certainly don't look like you know what's going on or appear to have much control of your system.
Instead of flying to your vendor's office and holding a public flogging clinic in their parking lot (or actually in addition to doing that), you can use the CHGACTSCDE command to ensure that certain profiles are not allowed to sign on to your system during various hours of the day.
For example, if you have a vendor with a user profile called UNRULYVEND, you can authorize this profile to sign on only during weekday office hours of 8:30 a.mm to 5:00 p.m. by using the following command:
CHGACTSCDE USRPRF(UNRULYVEND) ENBTIME('08:30:00')
DSBTIME('17:00:00') DAYS(*MON *TUE *WED *THU *FRI)
The command DSPACTSCD shows you what profiles are being controlled by an activation schedule.
And if You're Already at V7.1…
The functionality of the commands above has been integrated into the user profile so that you can change them there! USREXPDATE (User expiration date) and USREXPITV (User expiration interval) are two new parameters you can use when doing a CHGUSRPRF (Change User Profile). The CHGACTSCDE and CHGEXPSCDE commands still work and are supported. As well, if you use the CHGEXPSCDE on a profile, then by using the Display User Profile (DSPUSRPRF) command, your system will show the value you specified.
as/400, os/400, iseries, system i, i5/os, ibm i, power systems, 6.1, 7.1, V7,
|Last Updated on Friday, 11 February 2011 01:00|