TechTip: Control User Profile Sign-On Behavior

Security - Other
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Don't waste time coding CL programs to disable and re-enable profiles. Instead, use commands that the fine folks at IBM have made just for that purpose!

 

We've all had user profiles we wanted under our thumbs a little tighter.

 

Let's say you have a couple of temporary work-term students who will be at your company for the next six months. What happens? Chances are you are verbally notified by their manager the day they arrive with the expectation of a laptop, email account, and IBM i access. Then you set them up like any other user, along with instructions on how to operate the old-school coffee machine, of course. Six months go by, and you've forgotten all about those kids who've now gone back to school. Perhaps someone in HR will let you know they're gone and give you a formal request to disable their profiles, but I think that's more the exception than the rule in most shops.

Using Expiration Schedule Entries

Instead of relying on anyone to give you a heads up to disable a profile, be proactive about it and use the CHGEXPSCDE command. This command gives you the power to set a profile to expire or even delete on a certain date. For example, enter the following command to disable user profile STUDENT55 on December 12, 2011.

CHGEXPSCDE USRPRF(STUDENT55) EXPDATE('12/12/2011) ACTION(*DISABLE)

Furthermore, the command DSPEXPSCD will display a list of profiles that are pending expiration. This is a great little feature, especially if your shop has a high rate of employee turnover.

Using Activation Schedule Entries

What if you want more granularity when handling user profiles? Let's say you have a vendor who has a little extra authority and you want to ensure they're not on the system after hours doing things without your knowledge. It happens, people! A vendor takes it upon himself to log onto a system and make a change one evening, unbeknownst to anyone of course. First thing the next morning, you get calls from users saying a screen looks different. That's not cool, and you certainly don't look like you know what's going on or appear to have much control of your system.

 

Instead of flying to your vendor's office and holding a public flogging clinic in their parking lot (or actually in addition to doing that), you can use the CHGACTSCDE command to ensure that certain profiles are not allowed to sign on to your system during various hours of the day.

 

For example, if you have a vendor with a user profile called UNRULYVEND, you can authorize this profile to sign on only during weekday office hours of 8:30 a.mm to 5:00 p.m. by using the following command:

 

CHGACTSCDE USRPRF(UNRULYVEND) ENBTIME('08:30:00')
   DSBTIME('17:00:00') DAYS(*MON *TUE *WED *THU *FRI)

 

The command DSPACTSCD shows you what profiles are being controlled by an activation schedule.

And if You're Already at V7.1…

The functionality of the commands above has been integrated into the user profile so that you can change them there! USREXPDATE (User expiration date) and USREXPITV (User expiration interval) are two new parameters you can use when doing a CHGUSRPRF (Change User Profile). The CHGACTSCDE and CHGEXPSCDE commands still work and are supported. As well, if you use the CHGEXPSCDE on a profile, then by using the Display User Profile (DSPUSRPRF) command, your system will show the value you specified.

as/400, os/400, iseries, system i, i5/os, ibm i, power systems, 6.1, 7.1, V7,

Steve Pitcher
Steve Pitcher works with iTech Solutions, an IBM Premier Business Partner. He is a specialist in IBM i and IBM Power Systems solutions since 2001. Feel free to contact him directly This email address is being protected from spambots. You need JavaScript enabled to view it..
BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  •  

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: