The Four Hundred

OS/400 user profiles can have short shelf lives, which can increase administration time and security risks. Employees leave work and their profiles must be deactivated (disabled or deleted). The same holds true for temporary workers and consultants. Remembering to deactivate user profiles is a hassle, but OS/400 does offer an alternative that performs the dirty work for you, right on schedule.

The key to automatic deactivation is to create expiration schedule entries for any user profile that is scheduled to expire. The expiration schedule runs every day and automatically disables or deletes user profiles according to its entries. In most recent OS/400 versions, you can maintain and view your schedule through options in the Security Tools menu (GO SECTOOLS), or through two commands that are only available from the green-screen. (Note that you must have appropriate authority to execute these functions.)

First, enter expiration schedule entries for expiring user profiles by using option 8, "Change expiration schedule entry," from the SECTOOLS menu, or by typing in the Change Expiration Scd Entry (CHGEXPSCDE) command from a command line. You can use this command to create a new expiration entry or to change an existing entry in the schedule. So if I wanted to automatically disable a user profile called MSTEST on July 4, 2003, take option 8 and enter the user profile name, the expiration date, and whether you want to disable or delete this user profile on that date. If you tell OS/400 you want to disable the profile, this is all the information you need to enter.

But to automatically delete the user profile on that date, there are two other parameters you can enter. The first parameter, the Owned Object Option, tells OS/400 what it should do with any object that is owned by the profile to be deleted. You have three options here. You can leave the objects alone, without any changes (*NODLT on the green screen), you can delete any object the profile owns (*DLT, which I don't recommend using without reviewing exactly what those objects are), or you can change the object owner for those objects to a different OS/400 user profile (*CHGOWN). With *CHGOWN, the command gives you another parameter to specify which OS/400 user profile should be the new owner of the orphaned objects.

The second option for user profiles to be deleted involves what OS/400 should do if the user profile to be deleted is a group profile that serves as the primary group profile for other user profiles. The options here are whether to ignore this situation (*NOCHG) or to change the primary group value on these values (*CHGPGP). If *CHGPGP is selected, you need to specify a new primary group and a new primary group authority to substitute for the deleted user profile.

For changing existing expiration schedule entries, you can enter another entry for that user profile with the new information you want to use. The new entry will replace the old user profile entry in the schedule.

To view the expiration schedule of all user profiles that will be disabled or deleted according to schedule, choose option 7, "Display expiration schedule," or type in the Display Expiration Schedule (DSPEXPSCD) command from a command line. This option will display or print a list of all pending expiration schedule entries. You can display this list on a 5250 screen or send the list out to a printer spool file, by changing the Output parameter on the command.

Once the scheduled deactivation date for a user profile arrives, OS/400 will either disable or delete the target profile and the entry will be removed from the expiration schedule.

So if you're administering iSeries boxes in a large organization where there's high user turnover, you can use these options to automatically maintain your user profile lists in a secure and reasonable fashion.