Auditing user profile storage

Find out whose profiles are taking up a lot of storage space and why.

If you have a well-planned security implementation, you can use the size of individual user profiles to make sure nothing unplanned is going on in your system. On the i5 system, the size of a user profile increases when the users own or is authorized to use more objects on the system. This tip gives you a quick way to see which user profiles are the largest on your system and determine why they are so large.

A user profile starts life on the iSeries by taking up very little space. Over time, however, as object authorities are granted to the user and as objects are created by and owned by the user, the amount of space taken up by the individual profile grows. A measure of how many objects are affected by a user profile can be taken from the size of the profile. Taking a look at the largest profiles on your system might be a bellwether for a potential problem.

More Information

To get a quick look at user profile size, try the following processes.

First, create a database of the current user profile information stored on your system. You can do that with the following Display Object Description command:

DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) DETAIL(*BASIC)
OUTPUT(*OUTFILE) OUTFILE (QGPL/ALLUSRS)

That creates the file named ALLUSRS in your QGPL library. That file now contains one record for every user profile currently defined on your system. The record contains quite a bit of information about the profile. For our purposes here, we'll be working with a small portion only.

With that file, create a simple query using the WRKQRY command. Select the file you've just created, and then select the fields Library Name (ODLBNM), Object Name (ODOBNM), Object Type (ODOBTP) and Object Size (ODOBSZ) for your query. Tell the query to sort the output in descending sequence based on the Object Size field with output either to a printed report or to your display. Then, run the query and check out the results. To make it a little easier to work with, you can even create a rule to exclude user profiles that start with "Q," since you have little control over those profiles. If they are a concern for you, leave them in. There is a chart showing what each "Q" profile is used for in Appendix B of the OS/400 security manual.

After reviewing the output from your query, you will probably find a few user profiles whose object authorities you want to take a closer look at. You can do that by running the following two commands:

DSPUSRPRF USRPRF(xxxxxx) TYPE(*OBJOWN) OUTPUT(*PRINT)
and
DSPUSRPRF USRPRF(xxxxxx) TYPE(*OBJAUT) OUTPUT(*PRINT)

The first produces a listing of all objects owned by the xxxxxx user profile that you insert into the command. The second creates a report of objects where the user profile has object authority defined. Take a close look at both reports for each user profile you've identified and make sure there are no surprises. The contents of the reports should support your current security implementation plan. If there are any variations, then further investigation is definitely warranted.

If you have any questions about this topic, you can reach me at rich@kisco.com, I'll give it my best shot. All e-mail messages will be answered.

---------------------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc.s in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.


This was first published in May 2005

Dig deeper on iSeries system and application security

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchEnterpriseLinux

SearchDataCenter

Close