How can I automatically disable IDs for lack of use, and send a user a subset of the IDs that are being automatically disabled?
Specifically, sending a notification to the agent manager when agent IDs are disabled for lack of use. Not a list of all disabled agents or all disabled IDs, just the agents being disabled at that time. On other LPARS QASECIDL is used, but there is no output from that job, which would be used to query out agent IDs.
The easiest way to automatically disable user profiles that haven't been used in a specified period of time is to use the ANZPRFACT command that comes with OS/400. When ANZPRFACT runs and, as a result, profiles are set to STATUS(*DISABLED), two things occur:
- A message, CPIB30C to the message queue of the user who ran the ANZPRFACT command
- A 'CP' audit entry is sent to the QAUDJRN (as long as auditing is turned on and *SECURITY is one of the values listed in the QAUDLVL system value)
To find out the list of users that have been disabled due to inactivity vs. being disabled due to entering too many invalid passwords, you can do the following:
- Dump all the CP audit entries to an outfilexc
- Run a query, looking for entries with a job name of QSECIDL1 and QSECIDL2 for the program name.
- The audit entry data will contain the name of the user profile that was disabled.
Thanks to my friend Barb Smith at IBM Rochester for providing some of the information contained in this answer.
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
When error messages arise concerning attempts to use a permanent system object without authority, find the source of the issue by looking for an AF ... Continue Reading