Q: We are currently using OS/400 auditing and would like to include some of our own audit data in the audit journal. When one of our applications attempts to send an audit entry to the audit journal using the Send Journal Entry (SNDJRNE) command, the application receives a not authorized message. The *PUBLIC authority to the audit journal (QAUDJRN) is *EXCLUDE. When I tried to change the authority to the QAUDJRN, the Grant Object Authority (GRTOBJAUT) command returns message CPF2211, "Not able to allocate object QAUDJRN...." How can I change the authority to the audit journal?
A: To prevent deletion of the audit journal (QAUDJRN), the QSYSARB process of OS/400 allocates the QAUDJRN any time auditing is active. This lock also prevents you from changing the authority to the audit journal. You can stop auditing for a short period while you change the authority to the QAUDJRN and then restart auditing. Auditing can be terminated by changing the system value QAUDCTL to *NONE.
Here are the commands you'll need to run:
1. DSPSYSVAL SYSVAL(QAUDCTL)
(Record your current settings so that you can reapply them in step 4.)
2. CHGSYSVAL SYSVAL(QAUDCTL) + VALUE(*NONE) 3. EDTOBJAUT OBJ(QAUDJRN) + OBJTYPE(*JRN)
(Use this display to change the *PUBLIC authority to QAUDJRN.)
4. CHGSYSVAL SYSVAL(QAUDCTL) + VALUE
(Use the values recorded in step 1.)
Q: There are a number of user profiles on our AS/400 that are inactive, and several appear never to have been used. Before we move to V3R1, I would like to clean up the inactive user profiles. Do you have any recommended steps to find the inactive user profiles?
A:If your system does not have many user profiles, it may be possible to contact the individual users. The users who do not respond are candidates for deletion. However, this is a very time-consuming task. When you have more than 200 user profiles, for example, you may want to use some automated method to find the inactive user profiles.
There are several dates that are useful in locating unused user profiles. The two commands that will give you access to those dates are the following:
DSPUSRPRF USRPRF(*ALL) + OUTPUT(*OUTFILE) + OUTFILE(USRPRF) DSPOBJD OBJ(QSYS/*ALL) + OBJTYPE(*USRPRF) + OUTPUT(*OUTFILE) + OUTFILE(OBJD)
Query or SQL can be used to join the two files on user profile name and produce a list of candidate profiles to delete.
The last sign-on date and date last-used are useful to select the user profiles that have not been used for an extended period. The date-created can be used to prevent deletion of user profiles that have recently been created but not used. You may also want to eliminate user profiles that are group profiles or do not have a password.
The use of last-used and last sign-on date is not foolproof. When a user profile is used to send and receive distributions?using the Send Network File (SNDNETF) command, for example?OS/400 does not update the user profile's last-used date.