• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Admin Alert: More on Safely Deleting User Profiles

    November 17, 2004 Joe Hertvik

    In the last “Admin Alert,” I presented a checklist of items to review before deleting i5, iSeries, or AS/400 user profiles. Because of OS/400’s design, the checklist was incomplete, since there are so many OS/400 processing functions that can launch jobs running under a particular user profile. Fortunately, my readers came to the rescue on this one with more items to add to the checklist.

    User profiles usually own objects, they can be used in running regularly scheduled jobs or in client/server situations, or they may be group profiles that other user profiles depend on for program and file authorization. Such situations should be considered before deleting a profile, and my checklist provided techniques for safely locating functions that use a profile. The checklist wasn’t all-inclusive, however, and here are some valuable additions that readers sent me.

    Has the user profile recently been used?

    John Earl of The PowerTech Group came up with a way to determine the last time a user profile was used. John uses the Display Object Description (DSPOBJD) command to retrieve the full set of object attributes for a user profile object. To do this for a user profile named Joe, for example, you would run DSPOBJD like this:

    DSPOBJD OBJ(JOE) OBJTYPE(*USRPRF) DETAIL(*FULL)
    

    This command lists several interesting pieces of information, including the last date and time the profile was used. For older disabled profiles, this information is valuable because it gives you a clue as to whether the profile is still in use for various jobs. If the profile was used today, for example, the Last used date field would contain today’s date.

    The Last used date is useful because you can prepare a profile for deletion, disable it, and then let it sit for a period of time, like a month. If after a month of inactivity the user profile hasn’t been used, chances are good that it can be deleted. The only way you would get burnt in this situation is if the user profile is used in quarterly jobs, yearly jobs, or other jobs that don’t run very often.

    It’s important to remember that the Last used date is different from the Previous sign-on date displayed when you view a user profile. The Last used date refers to the last time the user profile was used in any capacity (to run batch jobs, in an ODBC connection, to sign on to OS/400), while the Previous sign-on date refers to the last time the user profile actually signed on to an OS/400 session. For our purposes, the Last used date gives the correct answer.

    Are there messages or spool files being created for this user profile on a regular basis?

    Like Hansel and Gretel walking through the forest, an active user profile will leave breadcrumbs behind it as it is being used. This tip was provided by David Morris, who reminded me that messages and spool files are activity indicators for jobs that use specific user profiles. All of which makes a review of the user profile’s message queue or generated spool files an easy place to find jobs that run under that particular profile.

    To find job messages that were generated for a specific user, you can use the Display Message (DSPMSG) command like this:

    DSPMSG MSGQ(user profile message queue name)
    

    In most cases, the user profile message queue name will have the same name as the user profile. But if you want to double-check the message queue name, you can find its name under the Message Queue (MSGQ) parameter of the user profile.

    The drill is simple. If a user profile has been disabled for a set period of time and job messages are still appearing for that profile, you can use those messages to determine which jobs are still running under the profile.

    Similarly, you can find any spool files that were generated by jobs running under your target user profile by using the Work with Spooled Files (WRKSPLF) command, like this:

    WRKSPLF SELECT(user profile name)
    

    This shows you all the spool files generated for this user. If you’re lucky, you might find information about the job that produced them inside the user data field of each spool file. But it’s easier to identify the job that created a spool file by entering ‘8’=Attributes in front of the spool file entry and looking at the upper left-hand portion of the Work with Spool File Attributes screen that appears; this is where the job name, user, and job number of the job that created the spool file are listed.

    There is one drawback to locating user jobs through their spool files. Many jobs don’t create spool files at all, and most jobs don’t create job logs unless the program ends abnormally. So the spool file technique has its limits, and I wouldn’t recommend using it as the final authority for locating all jobs that run under your target user. But it’s a helpful indicator for finding some jobs.

    What other “gotchas” should you watch out for?


    Unfortunately, there are plenty. Here are several tricky ones that other readers told me about:

    • Jobs running under your target user that were submitted through a Submit Job (SBMJOB) command embedded in a batch CL program. You might have a shot at finding these by looking through the user’s message queue or spool files.

    • Scheduled jobs set up through Operations Navigator’s Advanced Job Scheduler program.

    • Hidden user profiles and passwords used in scripting functions on remote computers. Your target user profile can be embedded in a Windows script, an automated FTP session on another machine, a DDM connection, or a Visual Basic, Java, or another program. Prior documentation of these situations is the best locator, but after deleting a user profile you may discover that some functions on remote computers are no longer able to communicate with your i5, iSeries, or AS/400.

    • Programs that use APIs to switch to another user profile.

    As far as I know, there is no easy way to locate deleted user profile names and passwords in these situations. But if any enterprising reader can think of an easy way to solve these or any other gotcha situation, I’ll be glad to mention them in a future column.

    Click here to contact Joe Hertvik by e-mail.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    DRV Technologies, Inc.

    Get More from Your IBM i

    Many users today struggle to get at the data they need on the IBM i. When users get reports, they look like they were formatted some time last century.

    Some organizations are still printing pre-printed forms and checks on impact printers.

    How often do operators log on to their system to look for messages they hope they don’t find?

    All of these scenarios can affect users’ perception of the IBM platform negatively, but there are simple solutions.

    DRV Technologies Inc. develops innovative solutions that help customers get more from their IBM i systems.

    Solutions include:

    • SpoolFlex spool conversion & distribution
    • FormFlex electronic forms
    • SecureChex MICR laser check printing
    • MessageFlex system monitoring

    FlexTools streamline resources, improve efficiency and enable pro-active system management.

    Better software, better service, DRV Tech.

    Learn how you can get more from your IBM i at www.drvtech.com

    Call 866 378-3366 for a Free Demonstration

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Linoma Offers PGP Studio with Data Transfer Tool Myths, Misconceptions Run Wild in World of High Availability

    Leave a Reply Cancel reply

Volume 4, Number 39 -- November 17, 2004
THIS ISSUE
SPONSORED BY:

T.L. Ashford
Advanced Systems Concepts
WorksRight Software

Table of Contents

  • Discover the DBVisualizer
  • Creating Effective Passwords
  • Admin Alert: More on Safely Deleting User Profiles

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • IBM Tweaks Some Power Systems Prices Down, Others Up
  • Disaster Recovery: From OS/400 V5R3 To IBM i 7.4 In 36 Hours
  • The Disconnect In Modernization Planning And Execution
  • Superior Support: One Of The Reasons You Pay The Power Systems Premium
  • IBM i PTF Guide, Volume 25, Number 13
  • IBM i Has a Future ‘If Kept Up To Date,’ IDC Says
  • When You Need Us, We Are Ready To Do Grunt Work
  • Generative AI: Coming to an ERP Near You
  • Four Hundred Monitor, March 22
  • IBM i PTF Guide, Volume 25, Number 12

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2023 IT Jungle