Four Hundred Guru--Admin Alert: Eternal Users: A Common Problem With IBM i Batch Jobs

Newsletters	Subscriptions	Forums	Safari	Store	Career	Media Kit	About Us	Contact	Search	Home

Volume 12, Number 23 -- September 19, 2012

Admin Alert: Eternal Users: A Common Problem With IBM i Batch Jobs

Published: September 19, 2012

by Joe Hertvik

Many IBM i shops have problems with eternal users. Eternal users are user profiles previously used by former IBM i power users that are still on the system. Although these users have left your organization, you can't delete their user profiles, because the profiles are used in IBM i functions used to run batch jobs. This week, let's look at eternal users and how to weed them out of your system.

How The Gotcha Gets Ya

Eternal users happen when administrators use their own or other power user profiles for submitting batch work to the system. Batch jobs are frequently submitted under a power user profile because that profile is configured correctly to run that particular batch job. This is a fairly commonplace practice.

Using an active power user to run batch jobs works great. . . until the user leaves the company. Best practices and auditing procedures may force you to delete the user profile within a specified time period, such as 30 days. Sometimes you'll find that after you delete a power user profile, many of your automated jobs stop working. This holds up production and can even cause data corruption if the scheduled job failure affects processing in other scheduled jobs.

To avoid problems, many shops leave terminated administrator and power user profiles on their systems instead of deleting them, to avoid the risk of key batch processing crashing unexpectedly. The result is the eternal user who can't be deleted for fear the user's absence will crash the system. This is a fairly common IBM i problem.

To avoid littering your system with eternal users and to cure any jobs currently running under eternal user profiles, my personal best practices for dealing with this issue are the following:

1. Create a batch user profile that has enough authority to run any automated procedure in your job scheduling functions. You can set the user up so that they can never sign on to the system by running the following Change User Profile (CHGUSRPRF) command, after the batch user is configured with the proper authorities.

CHGUSRPRF USRPRF(user_name) PASSWORD(*NONE)
PWDEXP(*NO) STATUS(*DISABLED)

This command takes away the batch user's ability to sign on to the system by: 1) disabling the user profile (setting the Status parameter to *DISABLE); and 2) making sure no password is associated with this user profile (setting the User Password parameter to *NONE). Notice that I've also set the "Set password to expired" parameter to *NO (non-expired) for this user. This is because you can't expire a user profile that doesn't have a password, at least not in the IBM i 6.1 system I tested this article on.

The key is that while a disabled user without a password can't sign on to the system, it can be used to run batch jobs. Most auditors will understand the concept of using a non-active batch user profile to run batch jobs, instead of using IBM system profiles such as QSECOFR or active power user profiles. And because the batch user profile can never sign on to your system, it's usually not an issue to leave it on your system forever.

2. Stop designating live user profiles as the profiles that your batch jobs will be submitted under. Start specifying the designated batch user profile in the following functions that can submit jobs on an IBM i system.

The User parameter in the Add Job Schedule Entry (ADDJOBSCDE) command or the Change Job Schedule Entry (CHGJOBSCDE) command of the IBM job scheduler.
The User parameter in any Submit Job (SBMJOB) commands that may be embedded in CL programs.
The user profile entry in the IBM job scheduler, such as Help/Systems' Robot/SCHEDULE job software, or any other IBM i-based job scheduling software.
The User parameter in any IBM i operating system Job Description (*JOBD) objects that are used to submit Autostart jobs in subsystems and in other system functions. Be sure to check the QDFTJOBD job description, which is frequently used as the default *JOBD for submitting jobs to QBATCH. Many shops like to make a copy of the QDFTJOBD *JOBD in another library and modify it for their own use. A good way to find subsystems that start jobs through job descriptions is to run a Work with Active Jobs (WRKACTJOB) command and look for any subsystems that are running jobs with type "*ASJ". Those subsystems are using job descriptions to start autostart jobs when the subsystem is started. For more information on using job descriptions for running autostart jobs, see my article on using OS/400 Autostart jobs for repetitious server processing.
Any other IBM construct that can be used to specify a user profile that will be used to submit a batch job.

This step can be used to stop the practice of using a live profile to start batch jobs. Make it a firm rule in your shop that it's no longer acceptable to use live user profiles for scheduled jobs and you'll cut down on the problem before too long.

3. Start weeding out live user profiles in batch jobs, as time permits. It can be a daunting task to audit all the entries in your job scheduler, plus your job descriptions, and replace eternal user profiles with batch user profiles that have the authorities you need to still run your jobs. I don't recommend that you attempt to change all your batch jobs at once. Take it slow and go through these jobs a few at a time to orderly transition your batch job structure to user profiles that will never be deleted.

The biggest issue with eternal users in batch jobs is that it's hard to know when you're finished. But if you take prudent steps to stop the problem from spreading using non-active batch profiles and then weed out terminated user profiles from submitting jobs in your system, you'll eventually minimize the problem so that you no longer have to fear deleting terminated users from your system.

More On Checking IBM i PTF Level Status

Regarding my recent article on checking IBM i OS and PTF Level Status for Sarbanes-Oxley Documentation, a few readers wrote in with additional information I didn't mention in the article.

First, several readers pointed out that I incorrectly said that there was no option in the i 6.1 Work with PTF Group (WRKPTFGRP) command to produce a spooled file report of current PTF group status. They wrote in to tell me that if you press the F6=Print function key off the WRKPTFGRP screen, the command will produce a PTF Group status printout of all the PTF groups on your system, similar to what's shown on this screen.

(Click graphic to enlarge.)

This works and I should have noticed this feature when I wrote the article. I apologize for the omission.

The readers also mentioned that if you're looking for a list of all the installed PTFs for any particular group, you can also enter a "6=Print" in front of the group you're interested in. This feature will produce a printout showing all the PTFs that are applied for the selected PTF group. Here's what this report looks like if I take an option 6 to display all the PTFs for SF99354, TCP/IP Group PTFs on one of my machines.

(Click graphic to enlarge.)

Another good tip came from an IBM reader who pointed that out when looking for up to date PTF information, my readers should check out the IBM Preventive Service Planning – PSP website. This site also lists out the latest PTF Groups by Release (i5/OS V5R4, i 6.1 and i 7.1) and the PTF Groups by Latest Update. The "PTF Groups by Latest Update" selection is nice in that it shows the release dates for all current PTF group releases and the PTF groups that were released on each date. So it's a nice way to see which PTF groups are the most recent. Here's what the IBM screen looks like:

(Click graphic to enlarge.)

So between this IBM screen and the IT Jungle System i PTF Guide, which I referenced last issue, there are two great locations for looking up the latest PTF group release dates.

Follow Me On My Blog, On Twitter, And On LinkedIn

Check out my blog at joehertvik.com, where I focus on computer administration and news (especially IBM i); vendor, marketing, and tech writing news and materials; and whatever else he come across.

You can also follow me on Twitter @JoeHertvik and on LinkedIn.

Joe Hertvik is the owner of Hertvik Business Services, a service company that provides written marketing content and presentation services for the computer industry, including white papers, case studies, and other marketing material. Email Joe for a free quote for any upcoming projects. He also runs a data center for two companies outside Chicago. Joe is a contributing editor for IT Jungle and has written the Admin Alert column since 2002.

Using OS/400 Autostart Jobs for Repetitious Server Processing

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
TEMBO APPLICATION GENERATION

It is extremely important to recognize that if your
installation has not yet adopted the SQL (DDL/SQE) engine
as your primary DB2 for i interface and is still primarily
using the ISAM (DDS/CQE) engine for database access,
you are using the leading high volume commercial OLTP
platform severely shackled and constrained.

Why SQL Engine?

1. The DB2 SQL engine has been the foundation of all developments and enhancements to IBM i
(and predecessors) since 2000.

2. In a highly competitive business environment it is all about AGILITY - the DB2 SQL engine enables that.

3. It offers up-to-date database documentation and access to leading database modeling tools.

4. It is the strategic database interface for the industry (standards compliancy).

5. It allows you to present a modern database to the outside world, and to your users, with meaningful
longer file (table) and field (column) names, which is a foundational requirement for Analytics.

6. It is the foundation for any real, lasting application modernization and agility responding to
DB change requests.

7. It ensures:
   • data integrity
   • improved Return on Investment
   • reduction in costs, speed to respond
   • massive increase in performance
   • openness
   • skills availability

How To Upgrade To Native SQL Engine

Due to the perceived risk and complexity, most IBM i installations internationally have continued to use the ISAM (DDS/CQE) engine as their primary database access method. This has certainly added to the perception that the platform is legacy, whilst it is in fact probably the most advanced implemantation of the DB2 database engine. We, as the installed base, however have been guilty of severely hampering and constraining our systems as a result, causing our system to be perceived as old, unyielding and legacy.

It is entirely feasible for you to upgrade from the ISAM to SQL engine with:

   • Little to no disruption
   • Little to no risk
   • Gradually (one file, library, database or system at a time)
   • Without the use of Surrogates
   • Non-invasively
   • Easily
   • And with no need to recompile your code (No LVLID changes)!!!

AO Foundation Solution

The fundamental requirement in the first place of implementation is to upgrade as much as possible to a high performing, native SQL (DDL) database, excluding unsupported constructs (see AO Website for details) without ANY LIVID changes.

   • Evolution, not revolution.
   • One File, one library, one database or one system at a time.
   • Facilitate AGILITY!
   • Enable ANALYTICS!
   • Long file and field names "out of the box," depending on internal practices.
   • Allowing any combination of ISAM and SQL to co-exist.
   • No to low risk.
   • Gradual, non-disruptive roadmap.
   • Regain control of your database(s).
   • Gradual sanitation of your database(s).
   • Gradual consolidation of your Metadata.
   • Regain control of your Metadata.
   • Gradually enhance/enrich your Metadata ala OA Metadata Consortium.
   • Native leveraged SQL database.
   • Central management of Database Indexing Strategy.
   • FULL, native management of your ISAM (CQE) and SQL (SQE) database(s) on DB2 for i.
   • Non-invasive, incremental roadmap.

Once the inital upgrade is facilitated, the database(s) can then gradually, incrementally improved and sanitized, focusing on ROI the entire time.

AO Foundation Benefits

Immediate, low-risk, non-disruptive exploitation of the native SQL database engine.

   • Solid foundation for future modernization projects.
   • Your database now presents itself as modern to the outside world and your end users.
   • AO Foundation removes the tedium and error-prone repetition out of upgrading to the
     SQL (SQE) engine, allowing you to focus on value adding aspects of application modernization.
   • No "vendor lock-in" - we deliver your database back completely under your control.
   • No LVLID changes during Phase 1 of database upgrade process, hence no recompilation
     of ANY code.
   • Massive potential performance benefits
   • AGILITY
   • FULL, native IBM i based management of your ISAM and SQL database(s) on DB2 for i.
   • Gradual, non-disruptive roadmap
   • Unshackled applications, unlocking the full value of your IT investments
   • Multi-Tier architecture

www.adsero-optima.com

YES YOU CAN!!!

Senior Technical Editor: Ted Holt

Technical Editor: Joe Hertvik

Contributing Technical Editors: Edwin Earley, Brian Kelly, Michael Sansoterra

Publisher and Advertising Director: Jenny Thomas

Advertising Sales Representative: Kim Reed

Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Connectria Hosting: Download the State of the i White Paper highlighting Connectria's IBM i Cloud
Bytware: Protect your IBM Power Systems from security threats. Download the IFS security bundle!
looksoftware: iBelieve New York. A free IBM i Community Event. September 27.

IT Jungle Store Top Book Picks

BACK IN STOCK: Easy Steps to Internet Programming for System i: List Price, $49.95

The iSeries Express Web Implementer's Guide: List Price, $49.95
The iSeries Pocket Database Guide: List Price, $59
The iSeries Pocket SQL Guide: List Price, $59
The iSeries Pocket WebFacing Primer: List Price, $39
Migrating to WebSphere Express for iSeries: List Price, $49
Getting Started with WebSphere Express for iSeries: List Price, $49
The All-Everything Operating System: List Price, $35
The Best Joomla! Tutorial Ever!: List Price, $19.95


Sirius Fluffs Up A Cloud For IBM i SMBs Can My Power 520 Run IBM i 7.1, And Do It Well? PowerVM Outshines Other VMs In IBM-Backed Report Mad Dog 21/21: The Malady Of All Empires IBM To Stop Peddling Power6+ Processors Soon


IDSync Comes to IBM i from Trucking World EVault Delivers Backup Flexibility with Release 7 Zend Expects Biggest PHP Confab Yet with ZendCon '12 Linoma Goes 'Virtual' with GoAnywhere Services 3.0 Real Vision Bolsters Mobile App with Useful New Features


Four Hundred Monitor's Full iSeries Events Calendar


September 15, 2012: Volume 14, Number 37 September 8, 2012: Volume 14, Number 36 September 1, 2012: Volume 14, Number 35 August 25, 2012: Volume 14, Number 34 August 18, 2012: Volume 14, Number 33 August 11, 2012: Volume 14, Number 32 August 4, 2012: Volume 14, Number 31

Huawei previews Cisco-killin' E9000 modular system

IT biz bosses are 'BIGGEST job cutters' in the US

Canonical aligns Ubuntu Server with quick-change OpenStack

Oracle tunes up VirtualBox hypervisor for Windows 8

Codethink jumps into the ARM server fray with Baserock Slab

AMD aims at big data crunchers with SeaMicro SM15000

Intel shows off Seacliff Trail SDN-enabled switch

Amazon creates exchange for reserved cloud capacity

Intel to etch 22nm Xeons and Atoms in 2013

Acer racks up Xeon E5s, picks fight with US server bad boys

AMD previews Piledriver, Ivy Bridge SeaMicro microservers

Intel hints at weaving network fabric into Xeons, Atoms

THIS ISSUE SPONSORED BY:
WorksRight Software Bytware Tembo Application Generation

	Printer Friendly Version

TABLE OF CONTENTS
The New Basics: Indicators OSHA Changes To IBM Battery Handling Affect Cache Battery Replacement Admin Alert: Eternal Users: A Common Problem With IBM i Batch Jobs

Four Hundred Guru

BACK ISSUES