| | | | |

Object Statistics: Last_used_object Field – Object Authorities

Note Be careful when you’re evaluating *DIR objects. The last-used date isn’t updated. In other words, you must evaluate the objects in the directory to discover the correct last-used date. In fact, this is where the field last_used_object recently added to both QSYS2.OBJECT_STATISTICS and QSYS2.IFS_OBJECT_STATISTICS table functions is handy. It provides an indication of whether…

|

Authorization Lists: New Nav – Object Authorities

To manage authorization lists in New Nav, click on the padlock icon and choose Authorization Lists as shown in Figure 7.4. You’ll see that all permissions for all authorization lists are displayed. That’s because what IBM has done is run the QSYS2.AUTHORIZATION_LIST_USER_INFO for all autls and displayed the results. To be honest, this isn’t all…

| |

Authority Collection for Users: Objects in the IFS – Using Authority Collection to Reduce Users’ Authority

What if your service account accesses objects in the IFS? The collection for the profile requires a slightly different configuration. Unlike objects in libraries, where you can be very specific, you can only specify the object types for which you wish to collect the profile’s access. See Figure 6.4. Figure 6.4: STRAUTCOL for user CWOODBURYT…

| |

Authority Collection for Users: Objects in Libraries – Using Authority Collection to Reduce Users’ Authority

First, you must start a collection for the profile you’re going to investigate. Figure 6.1 shows the Start Authority Collection (STRAUTCOL) command. Specify the profile name and then the libraries containing the objects the profile accesses. The more you can scope down the objects for which you’re going to collect information, the better, as there…

| |

Examining the Audit Journal Using New Nav – User Profiles

New Nav provides a graphic way to view entries in the audit journal. Using the audit journal SQL table functions, audit journal entries can be viewed in New Nav. To access the entries, launch and sign in to New Nav, and then click on the padlock and choose Audit Journaling. You’ll be taken to a…

| |

User Profiles and the Audit Journal – User Profiles

It’s one thing to analyze profiles at a point in time (which is what I’ve been describing so far), but many organizations need to understand user profile configurations over time. For example, some organizations have a requirement to track all profiles created so an auditor can look at a report and determine if the appropriate…

| | | |

Analyzing User Profiles – User Profiles

It’s always good to begin at the beginning, so let’s do that. Basic Information Let’s start with the basics: SQL that mimics DSPUSRPRF *ALL to an outfile. Launch Access Client Solutions (ACS) and then click on Run SQL Scripts. When the window opens, type this: This Select statement provides information about all of the user…

| | | | |

QPWDLVL 4 – Moving to a Higher Password Level

A new password level, 4, was introduced in IBM i 7.5. This password level implements an even stronger method of encrypting the password. To facilitate the move to QPWDLVL 4, as of IBM i 7.5, IBM now generates passwords at QPWDLVL 2 and 3 that will work when the system is IPLed to QPWDLVL 4….

|

Moving to QPWDLVL 2 Then 3 – Moving to a Higher Password Level

The ultimate goal should be to get to password level 3 because password level 2 starts storing the old (and weak) Microsoft password again. You might be tempted to jump right to password level 3, but if something’s not quite right and you have to move back down to level 0 or 1, it’s going…

| |

Analyzing and Adjusting Profiles’ User Class- Moving to a Higher Security Level

The analysis for moving off of QSECURITY 20 begins with analyzing the profiles’ user class settings. To get this listing, we’ll make use of the QSYS2.USER_INFO IBM i Service: I’ve included the currently assigned special authorities in my SQL so you can see what special authorities may potentially be stripped away when you IPL. I…