Limited Capabilities – User Profiles
You may also want to look at attributes such as the limited capability setting. Your review would be to make sure that any profile set to limited *PARTIAL or *NO really has a job requirement to use a command line.
Finally, inactive profiles need to be managed so they can’t be used as a target of abuse. Some organizations use the Analyze Profile Activity function from the SECTOOLS menu to set profiles to the status of disabled after a period of time. But often, organizations want to manage the disabling and deletion of profiles themselves. Even if you have automated these processes, reviewing the list produced by the SQL below can assure that your processes are working. In addition, automated processes usually have some type of “omission” list so that profiles will never be touched by the automated process. It’s good to review that omission list so you don’t continue to omit profiles that really should now be set to the status of disabled or even removed from the system. The following SQL lists all profiles that were created over three months ago and haven’t been used in that timeframe.
You can do all sorts of creative things with timestamps. For example, some organizations want to disable a profile if, after creation, the user doesn’t change their password within the first week. So you could do something similar to the previous example using the password_change_date and use “days” as the timeframe rather than “months.”
The SYSTOOLS.CHANGE_USER_PROFILE() table function provides more than just a list of inactive profiles. Depending on the value of the Preview parameter, you can have the table function set the profiles identified to be status of *DISABLED. Think about wanting to automate the disabling of profiles when they hit the criteria so that they are then considered inactive.
Running the example below, all profiles that have either never been used or haven’t been used in three months and were created more than three months ago will be set to status of *DISABLED.
You can review the list of profiles prior to the change by setting the Preview parameter to YES in the table function. Not all user profile attributes are included in this function (some notable ones that are missing include the supplemental group and special authorities attributes), but enough are included to make this useful and, hopefully, over time, IBM will provide a fully functional equivalent of CHGUSRPRF. In addition, it’s likely you’d want to add another piece to that Where clause—that is, a list of profiles to which the change would never apply.