| | | | |

Object Statistics: Last_used_object Field – Object Authorities

Note Be careful when you’re evaluating *DIR objects. The last-used date isn’t updated. In other words, you must evaluate the objects in the directory to discover the correct last-used date. In fact, this is where the field last_used_object recently added to both QSYS2.OBJECT_STATISTICS and QSYS2.IFS_OBJECT_STATISTICS table functions is handy. It provides an indication of whether…

|

Object Authorities: IBM i Services for Objects in Libraries – Object Authorities

The QSYS2.OBJECT_PRIVILEGES IBM i table function allows you to list a specific object’s permissions. For example: But what I find more interesting and useful is the IBM i Service version of OBJECT_PRIVILEGES, where you can select objects based on specific criteria. It’s useful because this allows you to find those objects in your production libraries…

| |

Authority Collection for Users: Objects in Libraries – Using Authority Collection to Reduce Users’ Authority

First, you must start a collection for the profile you’re going to investigate. Figure 6.1 shows the Start Authority Collection (STRAUTCOL) command. Specify the profile name and then the libraries containing the objects the profile accesses. The more you can scope down the objects for which you’re going to collect information, the better, as there…

| |

Users and Groups in New Nav – User Profiles

I’ve focused on using Run SQL Scripts, so let’s switch and explore how to use New Nav to manage user and group profiles. Launch New Nav, choose the partition to manage (called a “node” in New Nav), and then go down to the icon that looks like a group of people, as shown in Figure…

| |

Profiles with a Default Password – User Profiles

The Analyze Default Password (ANZDFTPWD) is great, especially if you’re just getting acquainted with IBM i, but I prefer to get information formatted in a way that helps me more easily analyze risk associated with those profiles. Let’s look at ANZDFTPWD. In addition to the name of the profile with a password that’s the same…

| | |

Limited Capabilities – User Profiles

You may also want to look at attributes such as the limited capability setting. Your review would be to make sure that any profile set to limited *PARTIAL or *NO really has a job requirement to use a command line. Inactive Profiles Finally, inactive profiles need to be managed so they can’t be used as…

| | | |

Analyzing User Profiles – User Profiles

It’s always good to begin at the beginning, so let’s do that. Basic Information Let’s start with the basics: SQL that mimics DSPUSRPRF *ALL to an outfile. Launch Access Client Solutions (ACS) and then click on Run SQL Scripts. When the window opens, type this: This Select statement provides information about all of the user…

| | | | |

QPWDLVL 4 – Moving to a Higher Password Level

A new password level, 4, was introduced in IBM i 7.5. This password level implements an even stronger method of encrypting the password. To facilitate the move to QPWDLVL 4, as of IBM i 7.5, IBM now generates passwords at QPWDLVL 2 and 3 that will work when the system is IPLed to QPWDLVL 4….

| |

Moving from QSECURITY Level 20 to 40- Moving to a Higher Security Level

Tech Note As of IBM i 7.5, you cannot change QSECURITY to run at level 20 I have to be honest. Moving from QSECURITY level 20 to 40 is a much different story than the 30 to 40 move. Simply put, the move is not trivial. But because QSECURITY level 20 will no longer be…