user profiles in use - IBM AS400

This is a discussion on user profiles in use - IBM AS400 ; We try to find out, which user profiles are still in use. This is no problem, when a person uses a profile. But what about profiles, which are only used by programs? They do not change the date of last ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: user profiles in use

  1. user profiles in use

    We try to find out, which user profiles are still in use. This is no
    problem, when a person uses a profile. But what about profiles, which
    are only used by programs? They do not change the date of last usage.
    On which criteria can we rely on instead and how can we find out the
    name of the program, which works with this user profile ?


  2. Re: user profiles in use

    On Aug 21, 7:52 am, ulrike.wan...@web.de wrote:
    > We try to find out, which user profiles are still in use. This is no
    > problem, when a person uses a profile. But what about profiles, which
    > are only used by programs? They do not change the date of last usage.
    > On which criteria can we rely on instead and how can we find out the
    > name of the program, which works with this user profile ?


    Just a guess; so I'll get shot down in flames, but would a combination
    of last used date and object auditing get you what you want?

    If wrong I'll be glad to be educated.

    TTFN

    Ian


  3. Re: user profiles in use

    On Aug 21, 2:52 am, ulrike.wan...@web.de wrote:
    > We try to find out, which user profiles are still in use. This is no
    > problem, when a person uses a profile. But what about profiles, which
    > are only used by programs? They do not change the date of last usage.
    > On which criteria can we rely on instead and how can we find out the
    > name of the program, which works with this user profile ?


    If you are using "last login" date, be warned that this is not updated
    when the login is not by green screen. A connection by a network
    share, for instance doesn't count.

    GO SECTOOLS does give some good analysis, but I think it still suffers
    from the same problem.


  4. Re: user profiles in use; i.e. being utilized functionally versusbeing allocated

    Regarding not being a problem "when a person uses a profile",
    presumably that means for an interactive signon, and thus using
    DSPUSRPRF the field UPPSOD can be easily tested.?
    A user profile object is still 'in use' when it owns objects that are
    still 'in use'. Thus if the program owned by the user has not been
    used, then the user profile is effectively unused since/over that same
    time-frame.
    Or a profile may be considered in use even when the user has only
    authorizations to objects [outside of ownership] that are still 'in
    use', but when at least one other user profile refers to that user as a
    [supplemental] group. Refer to: DSPUSRPRF *GRPMBR
    Thus it would seem appropriate, that for a user profile that was not
    used recently according to both UPPSOD per DSPUSRPRF and ODUDAT per
    DSPOBJD, that the question must be redirected to both the list of
    objects owned & authorized for the user, and the users that are members
    of its group.
    Worth considering: I have never dealt with such an issue, at least
    never coded to interrogate, because proper business rules, system &
    application management, and audits, in combination, ensure that any
    required user profiles are scheduled for deletion when they are no
    longer required. Programmed security reviews of profiles ensure that
    passwords are changed periodically [according to guidelines] or that the
    user has its password set to *NONE [preventing use by the /signon/
    features], and that the authority to each user profile is available only
    for those documented [preventing use by non-*ALLOBJ users]. Then
    if/when any "Oops!" occurs, that situation is as good as a "function
    check" for an unmonitored error condition, to indicate that there is an
    error needing correction. In this scenario, probably an indication that
    the registration of that user profile name in the system management is
    required for proper system operation -- and that needs to be recorded
    appropriately to prevent a future unplanned deletion.

    Regards, Chuck
    --
    All comments provided "as is" with no warranties of any kind
    whatsoever and may not represent positions, strategies, nor views of my
    employer

    ulrike.wanner@web.de wrote:
    > We try to find out, which user profiles are still in use. This is no
    > problem, when a person uses a profile. But what about profiles, which
    > are only used by programs? They do not change the date of last usage.
    > On which criteria can we rely on instead and how can we find out the
    > name of the program, which works with this user profile?


+ Reply to Thread