| | | | |

Object Statistics: Last_used_object Field – Object Authorities

Note Be careful when you’re evaluating *DIR objects. The last-used date isn’t updated. In other words, you must evaluate the objects in the directory to discover the correct last-used date. In fact, this is where the field last_used_object recently added to both QSYS2.OBJECT_STATISTICS and QSYS2.IFS_OBJECT_STATISTICS table functions is handy. It provides an indication of whether…

|

Managing Permissions Using IBM i Access Client Solutions (ACS) – Object Authorities

If you wish to manage permissions using a graphical format, you’re going to have to use ACS as New Nav currently has no way to view or manage permissions. But not to worry; the interface in ACS is quite usable. In fact, I quite like the ACS interface. To use ACS to manage permissions, launch…

| |

Authority Collection for Users: Objects in the IFS – Using Authority Collection to Reduce Users’ Authority

What if your service account accesses objects in the IFS? The collection for the profile requires a slightly different configuration. Unlike objects in libraries, where you can be very specific, you can only specify the object types for which you wish to collect the profile’s access. See Figure 6.4. Figure 6.4: STRAUTCOL for user CWOODBURYT…

| |

Users and Groups in New Nav – User Profiles

I’ve focused on using Run SQL Scripts, so let’s switch and explore how to use New Nav to manage user and group profiles. Launch New Nav, choose the partition to manage (called a “node” in New Nav), and then go down to the icon that looks like a group of people, as shown in Figure…

| |

User Profile Changes in IBM i 7.5 – User Profiles

Tech Note IBM i 7.5 made several changes to the Create and Change User Profile commands. IBM made several changes in IBM i 7.5 to the Create and Change User Profile (CRT/CHGUSRPRF) commands. The most obvious is that the PASSWORD parameter now defaults to *NONE rather than *USRPRF. In other words, the profile will no…

| |

Group Profiles Without Members – User Profiles

Note that I’ve used group_id_number <> 0 to find the group profiles. When a profile is made a group (that is, it’s listed as a user’s group profile or one of its supplemental groups), it’s assigned a group ID (GID). Even after all of the members are removed from a group, it retains its GID,…

| | | | |

QPWDLVL 4 – Moving to a Higher Password Level

A new password level, 4, was introduced in IBM i 7.5. This password level implements an even stronger method of encrypting the password. To facilitate the move to QPWDLVL 4, as of IBM i 7.5, IBM now generates passwords at QPWDLVL 2 and 3 that will work when the system is IPLed to QPWDLVL 4….

|

Changes That Occur with QPWDLVL 2 or 3 – Moving to a Higher Password Level

Setting changes to QPWDLVL requires an IPL. Here are the changes you’ll see after the IPL to level 2 or 3 from 0 or 1. Figure 4.1: The sign-on display after IPLing to QPWDLVL 2 or 3. Notice the increased length of the Password field. Figure 4.2: At QPWDLVL 2 or 3, the User password…

| |

Analyzing and Adjusting Profiles’ User Class- Moving to a Higher Security Level

The analysis for moving off of QSECURITY 20 begins with analyzing the profiles’ user class settings. To get this listing, we’ll make use of the QSYS2.USER_INFO IBM i Service: I’ve included the currently assigned special authorities in my SQL so you can see what special authorities may potentially be stripped away when you IPL. I…

| |

Moving from QSECURITY Level 20 to 40- Moving to a Higher Security Level

Tech Note As of IBM i 7.5, you cannot change QSECURITY to run at level 20 I have to be honest. Moving from QSECURITY level 20 to 40 is a much different story than the 30 to 40 move. Simply put, the move is not trivial. But because QSECURITY level 20 will no longer be…