![]() |
||
SecureMyi.com Security and Systems Management Newsletter for the IBM i
July 9, 2014 - Vol 4, Issue 11
|
||
![]() |
||
![]() ![]() ![]() |
Feature Article
|
|
In This Issue
Quick Links
Our Newsletter Sponsors
Platinum Sponsor |
IBM i Security ResourcesIBM i Security Videos - SecureMyi RedBook - Security Guide IBM i Open Security Foundation - DataLoss DB National Vulnerability Database - NIST ![]() ![]() ![]() |
![]() ![]() |
![]()
|
![]() ![]() ![]() |
|
Security Shorts - Activating User Profiles Only When NeededBy Dan Riehl - SecureMyi.com To enable a user profile, and disable it at a particular time on specific days, you can use the command CHGACTSCDE(Change Profile Activation Schedule Entry). For example, to enable the user profile BOB from 11:00am, and disable it at 5:00pm, on Wednesday, you could use the following command. CHGACTSCDE USRPRF(BOB) ENBTIME('11:00') DSBTIME('17:00') DAYS(*WED) However, if you do not remove this activation schedule entry, the profile will be enabled each Wednesday at the specified time. So, you will manually need to remove the entry after each usage. To remove a user profile from the activation schedule, run the command CHGACTSCDE USRPRF(BOB) ENBTIME(*NONE) DSBTIME(*NONE) DAYS(*WED) You should note, that even though you disable a user profile, any job using that profile currently active or on a job queue will not be effected. (i.e. It will not kill jobs, even though you disable the profile.) This is always the case of disabling User Profiles. They will not be able to start a new Log-on session, but running sessions are not affected. The Activation Schedule is actually implemented in the basic Job Scheduler, accessed using the command WRKJOBSCDE(Work with Job Schedule Entries). You can manage the enable and disable processes from WRKJOBSCDE. You can also hold and release the jobs also using HLDJOBSCDE and RLSJOBSCDE commands. The Job Names for the Activation Schedule are named QSECACT1. The GO SECTOOLS Menu also has an interface to the commands used for the user disable and enable processes. So, you can just GO SECTOOLS and set up the processes from there. IBM i 7.1 Update - You can now use the CRTUSRPRF or CHGUSRPRF command to set an expiration date on a User Profile. When that date is reached, the Profile will be set to disabled. Here is an example in which the user BOB will be disabled on December 31, 2014. CRTUSRPRF USRPRF(BOB) USREXPDATE('12/31/2014') While IBM i 7.1 incorporates the Expiration date in a User Profile display, this feature has long been available through the CHGEXPSCDE(Change Expiration Schedule Entry) command. GO SECTOOLS Option 8. On the CHGEXPSCDE command, you can specify that the user profile will be Disabled, or Deleted on the date specified. The new 7.1 support in the user profile attribute, only allows for disabling the user on the specified date. Here is an example of setting the User Profile to be Deleted on December 31, 2014, and all owned objects transferred to MYOWNER. CHGEXPSCDE USRPRF(BOB) EXPDATE('12/31/2014') ACTION(*DELETE) + The Jobs that expire User Profiles are also set in the basic Job Scheduler WRKJOBSCDE. The job name for the Expiration Schedule jobs are named QSECEXP1.
|
Sponsored Links
IBM i, iSeries and AS/400
|
|
![]() |
||
![]() |
||
Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2014 - SecureMyi.com, all rights reserved SecureMyi.com | St Louis MO 63017 |