We have a profile that we don't want to be used for sign on, but batch jobs need to be able to run using the profile. Should we disable the profile, or change the initial program to *signoff? What is the difference between the two options?
Assuming the batch-only user profile is called OurBatchPrf, the easiest way to set up the most relevant parameters is probably like:
===> CHGUSRPRF USRPRF(OurBatchPrf) PASSWORD(*NONE) + INLPGM(*NONE) INLMNU(*SIGNOFF)
Other parameters will depend on your environment, but these match what you need. Since the user profile will only be used for batch jobs, there should never be a need for an interactive signon. Therefore, there should be no password. And as long as there is no signon, there's no need for an initial program nor an initial menu; might as well make the values reflect the need.
It is possible to use a *DISABLED user profile for various batch processing functions. However, there are pitfalls related to various security APIs and system messages that make PASSWORD(*NONE) cleaner and much more predictable, not to mention the possible support issues with IBM. I would only use a *DISABLED profile for very specific purposes where I knew the precise behavior that would result. I certainly can't recommend it.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: Tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Read this Search400 Featured Topic: Secure your iSeries
Dig Deeper on iSeries system and application security
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.