User security in OS/400 is based upon user profiles. A user profile uniquely identifies each user that accesses the system and also specifies which system objects the user is allowed to access. Auditing success requires that you are able to identify system actions and accesses down to the individual object and user level, and OS/400 is very successful at tracking system activity and maintaining the proper audit trail for both users and objects.
The level of success for gathering and reporting this information depends greatly on whether the user data or user naming convention bears meaning. If user profiles are not traceable to a specific individual because they are generic or are in a format that does not uniquely identify the user, then the time needed to derive the required information can be greatly increased. Unique does not imply that the profile should simply be an abstract of the user's actual name, for example, when JONESR is used for Robert Jones. Name-based profiles are easily guessed and often just as easy to hack. On the other hand, while using seemingly meaningless profiles like TR85GH4Q decreases the likelihood of profile guessing, the administrative overhead is greatly increased by having to track whom each profile belongs to in a separate file or location, and calls to the Help Desk are likely to increase when users can't even remember their user profile, let alone their password.
The best format for profiles is one that has meaning to the system administrators, is unique to the system, and will remain unique even when employee turnover is considered. For example, a multi-office company can use an alphabetic character to begin each profile to identify geographic location, followed by two digits to identify status (perm or temp), and four digits to identify the individual user (employee number). In this scheme, using 00 for permanent employees and 99 for temporary employees, a company with offices in Atlanta, Boston, and Phoenix could have profiles like this:
* A000257 - Atlanta, permanent, Employee# 0257
* B001322 - Boston, permanent, Employee# 1322
* P990033 - Phoenix, temporary, Temp Employee# 0033
Using this scheme, an administrator can quickly identify the location and status of the user. Also, since most companies do not re-use employee numbers, these profiles remain unique long after an employee leaves the company. In a four-digit employee number scheme, as many as 10,000 employees can "go through the turnstiles" before the risk of repeating an employee number arises, while a five-digit employee number yields 100,000 unique combinations.
Regular review of user profiles and their settings is paramount to a pro-active security program. User profiles are one of the first things auditors review when assessing the security health of your systems.
================================== MORE INFORMATION ON THIS TOPIC ==================================
The Best Web Links: Tips, tutorials and more.
Search400.com's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Read this Search400.com Featured Topic: Secure your iSeries
This was first published in September 2002