"Joe" came into work one day and discovered that someone had disabled a few user profiles. He checked the history log and msgq qsysopr, but there isn't an audit for this situation. How could this have happened?
What special authorities must a user profile have to disable others? How can he figure out who did this?
Solution:
The problem may be related to the command ANZPRFACT. Someone probably ran the command with a value of 1.
To fix the problem, Joe should run the command ANZPRFACT again with *NOMAX value. Another way to check this is to go to Audit journal (QAUDJRN) and retrieve the type CP (change profile). If someone in Joe's company is changing profiles, it should be here and logged. If the disable continues and the audit doesn't seem to have a CP type logged, then the ANZPRFACT is the problem. Once the command is run, the only way to undo it is to run it again with *NOMAX value.
Joe should also restrict the number of user profiles in his company with *SECADM special authority. That will prevent changes to the user profile.
==================================
MORE INFORMATION ON THIS TOPIC
==================================
The Best Web Links: Tips, tutorials and more.
Search400.com's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Read this Search400.com Featured Topic: Secure your iSeries
