Admin Alert: The Joys and Pains of Automatically Disabling User Profiles
April 13, 2005 Joe Hertvik
In previous Admin Alerts, I discussed two ways to activate and deactivate individual user profiles by using OS/400 Activation Entries and OS/400 Expiration Schedule Entries. While these features disable and enable individual profiles, they do nothing to automatically disable any OS/400 user profiles that have been inactive for a set number of days. That’s where OS/400’s Analyze Profile Activity command (ANZPRFACT) comes in, a valuable technique that contains one nasty pitfall.
Used properly, ANZPRFACT automatically disables any user profile that has not been used in a certain number of days. If your security policy called for automatically disabling user profiles that have not been active in the last 30 days, for example, you could accomplish that task by calling ANZPRFACT in the following way:
Once activated this way, ANZPRFACT configures a nightly scheduled job called QSECIDL1, which examines all the user profiles on your system and automatically disables any non-IBM profiles that have not been active during the last 30 days (or whatever number of days you specified in the number of inactive days parameter, INACDAYS). IBM uses the last used date associated with each user profile to determine if the profile has been active during that time period. If the profile had never signed on to your system–as specified when its last used date is blank–OS/400 will use the profile’s last restored date as its last used date. QSECIDL1 disables inactive user profiles every night, and messages containing the name of each disabled user profile are sent to the message queue of the person who last ran the command.
In i5/OS V5R3, the QSECIDL1 job is scheduled to run in the wee hours of the morning, usually at 1:00 AM, but you can easily change its start time by editing the QSECIDL1 job scheduler entry with either the Work with Job Schedule Entries (WRKJOBSCDE) or the Change Job Schedule Entry (CHGJOBSCDE) command.
If you change your mind and decide to deactivate ANZPRFACT processing, you can turn it off by running the command with the INACDAYS parameter equal to *NOMAX, like this:
ANZPRFACT is a great tool for automatically limiting the number of user profiles that can sign on to your system, but it can also accidentally disable valid user profiles that are critical to system processing. IBM exempts a fair number of OS/400 system profiles (user profiles that begin with the letter ‘Q’) from being affected by ANZPRFACT processing. Exempted IBM system profiles that should never be disabled include QSECOFR, QSPL (the Spool User profile), and QTCP (for running TCP/IP applications). You can see the complete list of user profiles that are exempted from ANZPRFACT processing by pressing Help (F1) while prompting the ANZPRFACT command.
Because many OS/400 server jobs–including third party packages–require a valid user profile that will never be disabled to run, IBM offers a function to add non-IBM profiles to an active profile list. User profiles on the active profile list will be skipped by ANZPRFACT as it runs its daily processing.
To view your machine’s active profile list, use the Display Active Profile List (DSPACTPRFL) command:
This displays the current list of active user profiles. If you want to add a profile to the list, use the Change Active Profile List (CHGACTPRFL) command, as follows:
CHGACTPRFL USRPRF(profile_name) ACTION(*ADD)
And this command will add a user profile name to the list. Multiple profiles can be added to the list through one CHGPRFL command.
While user profiles on this list are immune from being disabled through ANZPRFACT processing, they can still be disabled through other OS/400 functions, such as the OS/400 security function that automatically disables any user profile that is used in a set number of consecutive, incorrect sign-on attempts (as controlled by the QMAXSGNACN and QMAXSIGN system values).
When using ANZPRFACT, IBM recommends that the active profile list should contain any user profiles that own application objects or are used by applications that do not manually sign on to the system (such as profiles that are used to run batch server jobs). If you don’t add those profiles to this list in an ANZPRFACT scenario, you could suddenly see key server applications fail when the user profile the application runs under passes its expiration date and is automatically disabled by OS/400.
To remove an existing user profile from the active profiles list, run the CHGACTPRFL command with the Action parameter (ACTION) equal to *REMOVE, like this:
CHGACTPRFL USRPRF(profile_name) ACTION(*REMOVE)
It’s worth noting that user profiles are also removed from the list whenever a profile is deleted by using iSeries Navigator or the green screen Delete User Profile command (DLTUSRPRF).
If you decide to use ANZPRFACT to automatically disable inactive user profiles, it’s critical to create and maintain your list of protected active user profiles to keep your system server jobs running smoothly.
Click here to contact Joe Hertvik by e-mail.