| | | | |

Object Statistics: Last_used_object Field – Object Authorities

Note Be careful when you’re evaluating *DIR objects. The last-used date isn’t updated. In other words, you must evaluate the objects in the directory to discover the correct last-used date. In fact, this is where the field last_used_object recently added to both QSYS2.OBJECT_STATISTICS and QSYS2.IFS_OBJECT_STATISTICS table functions is handy. It provides an indication of whether…

|

Authority Failure Occurs – Using Authority Collection to Reduce Users’ Authority

When reworking your security scheme, you may miss something or a process may only run periodically and the access wasn’t in the collection when you first did your analysis. I’d encourage you to turn back to the collection to resolve this authority failure if it’s not obvious how much authority is required. Yes, you can…

| |

Examining the Audit Journal Using New Nav – User Profiles

New Nav provides a graphic way to view entries in the audit journal. Using the audit journal SQL table functions, audit journal entries can be viewed in New Nav. To access the entries, launch and sign in to New Nav, and then click on the padlock and choose Audit Journaling. You’ll be taken to a…

| |

User Profile Changes in IBM i 7.5 – User Profiles

Tech Note IBM i 7.5 made several changes to the Create and Change User Profile commands. IBM made several changes in IBM i 7.5 to the Create and Change User Profile (CRT/CHGUSRPRF) commands. The most obvious is that the PASSWORD parameter now defaults to *NONE rather than *USRPRF. In other words, the profile will no…

| |

Profiles with a Default Password – User Profiles

The Analyze Default Password (ANZDFTPWD) is great, especially if you’re just getting acquainted with IBM i, but I prefer to get information formatted in a way that helps me more easily analyze risk associated with those profiles. Let’s look at ANZDFTPWD. In addition to the name of the profile with a password that’s the same…

| | |

Limited Capabilities – User Profiles

You may also want to look at attributes such as the limited capability setting. Your review would be to make sure that any profile set to limited *PARTIAL or *NO really has a job requirement to use a command line. Inactive Profiles Finally, inactive profiles need to be managed so they can’t be used as…

| | | |

Analyzing User Profiles – User Profiles

It’s always good to begin at the beginning, so let’s do that. Basic Information Let’s start with the basics: SQL that mimics DSPUSRPRF *ALL to an outfile. Launch Access Client Solutions (ACS) and then click on Run SQL Scripts. When the window opens, type this: This Select statement provides information about all of the user…

| | | | |

QPWDLVL 4 – Moving to a Higher Password Level

A new password level, 4, was introduced in IBM i 7.5. This password level implements an even stronger method of encrypting the password. To facilitate the move to QPWDLVL 4, as of IBM i 7.5, IBM now generates passwords at QPWDLVL 2 and 3 that will work when the system is IPLed to QPWDLVL 4….

|

QPWDLVLs 0 and 1 – Moving to a Higher Password Level

Password levels 0 and 1 define that a user’s password will have a maximum length of 10 characters and can consist only of uppercase A–Z, numerals 0–9, and special characters #, @, $, and _. The problem with these two levels is the restricted character set. The small number of possibilities of password combinations means…

| |

User Profiles Specified in a Job Description- Moving to a Higher Security Level

J entries, as I said, indicate the use of a job description that specifies a user profile. Most of the time, job descriptions are created so that the person using the job description is the profile under which the job runs. But the USER parameter can be specified with the name of a user profile….