Tip

Auditing user profile storage

If you have a well-planned security implementation, you can use the size of individual user profiles to make sure nothing unplanned is going on in your system. On the i5 system, the size of a user profile increases when the users own or is authorized to use more objects on the system. This tip gives you a quick way to see which user profiles are the largest on your system and determine why they are so large.

A user profile starts life on the iSeries by taking up very little space. Over time, however, as object authorities are granted to the user and as objects are created by and owned by the user, the amount of space taken up by the individual profile grows. A measure of how many objects are affected by a user profile can be taken from the size of the profile. Taking a look at the largest profiles on your system might be a bellwether for a potential problem.

More Information

To get a quick look at user profile size, try the following processes.

First, create a database of the current user profile information stored on your system. You can do that with the following Display Object Description command:

DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) DETAIL(*BASIC)
OUTPUT(*OUTFILE) OUTFILE (QGPL/ALLUSRS)

That creates the file named ALLUSRS in your QGPL library. That file now contains one record for every user profile currently defined on your system. The record contains quite a bit of information about the profile. For our purposes here, we'll be working with a small portion only.

With that file, create a simple query using the WRKQRY command. Select the file you've just created, and then select the fields Library Name (ODLBNM), Object Name (ODOBNM), Object Type (ODOBTP) and Object Size (ODOBSZ) for your query. Tell the query to sort the output in descending sequence based on the Object Size field with output either to a printed report or to your display. Then, run the query and check out the results. To make it a little easier to work with, you can even create a rule to exclude user profiles that start with "Q," since you have little control over those profiles. If they are a concern for you, leave them in. There is a chart showing what each "Q" profile is used for in Appendix B of the OS/400 security manual.

After reviewing the output from your query, you will probably find a few user profiles whose object authorities you want to take a closer look at. You can do that by running the following two commands:

DSPUSRPRF USRPRF(xxxxxx) TYPE(*OBJOWN) OUTPUT(*PRINT)
and
DSPUSRPRF USRPRF(xxxxxx) TYPE(*OBJAUT) OUTPUT(*PRINT)

The first produces a listing of all objects owned by the xxxxxx user profile that you insert into the command. The second creates a report of objects where the user profile has object authority defined. Take a close look at both reports for each user profile you've identified and make sure there are no surprises. The contents of the reports should support your current security implementation plan. If there are any variations, then further investigation is definitely warranted.

If you have any questions about this topic, you can reach me at rich@kisco.com, I'll give it my best shot. All e-mail messages will be answered.

---------------------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc.s in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.


This was first published in May 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.