Tip

Unique user profiles are critical to OS/400 security

User security in OS/400 is based upon user profiles. A user profile uniquely identifies each user that accesses the system and also specifies which system objects the user is allowed to access. Auditing success requires that you are able to identify system actions and accesses down to the individual object and user level, and OS/400 is very successful at tracking system activity and maintaining the proper audit trail for both users and objects.

The level of success for gathering and reporting this information depends greatly on whether the user data or user naming convention bears meaning. If user profiles are not traceable to a specific individual because they are generic or are in a format that does not uniquely identify the user, then the time needed to derive the required information can be greatly increased. Unique does not imply that the profile should simply be an abstract of the user's actual name, for example, when JONESR is used for Robert Jones. Name-based profiles are easily guessed and often just as easy to hack. On the other hand, while using seemingly meaningless profiles like TR85GH4Q decreases the likelihood of profile guessing, the administrative overhead is greatly increased by having to track whom each profile belongs to in a separate file or location, and calls to the Help Desk are likely to increase when users can't even remember their user profile, let alone their password.

The best format for profiles is one that has meaning to the system administrators, is unique to the system, and will remain unique even when employee turnover is considered. For example, a multi-office company can use an alphabetic character to begin each profile to identify geographic location, followed by two digits to identify status (perm or temp), and four digits to identify the individual user (employee number). In this scheme, using 00 for permanent employees and 99 for temporary employees, a company with offices in Atlanta, Boston, and Phoenix could have profiles like this:

* A000257 - Atlanta, permanent, Employee# 0257
* B001322 - Boston, permanent, Employee# 1322
* P990033 - Phoenix, temporary, Temp Employee# 0033

Using this scheme, an administrator can quickly identify the location and status of the user. Also, since most companies do not re-use employee numbers, these profiles remain unique long after an employee leaves the company. In a four-digit employee number scheme, as many as 10,000 employees can "go through the turnstiles" before the risk of repeating an employee number arises, while a five-digit employee number yields 100,000 unique combinations.

Regular review of user profiles and their settings is paramount to a pro-active security program. User profiles are one of the first things auditors review when assessing the security health of your systems.

==================================
MORE INFORMATION ON THIS TOPIC
==================================

The Best Web Links: Tips, tutorials and more.

Search400.com's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Read this Search400.com Featured Topic: Secure your iSeries


This was first published in September 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.