Cooperation with HR key to iSeries security and user profiles
The problem with maintaining user profiles on your system, however, often comes up when people change jobs or leave your company altogether. When this happens, it really requires the full cooperation of your HR department. In my experience, an active network of spies is also helpful (using the word "spy" in the best of senses, of course). You can often find out about personnel changes from your network well in advance of any official notification from HR.
Since the notification process can easily break down, it is very important that all of your user profiles have built in automatic expiration dates. This is done using the "Password expiration interval" (PWDEXPITV) associated with each user profile. I generally recommend that you set this to 60 days, but your security policy may want that done more frequently. With this approach, when someone leaves their profile will automatically expire within this set period of time.
IBM System i user profile tools
The System i OS has some nice tools available that will help you with staying ahead of personnel changes. When you know someone is going to be leaving, you can set up their user profile to be disabled on the system on a given date. You can also work with the scheduled changes that are already pending and remove them if changes occur in any termination plans.
The commands you need to use this feature are:
- Change Expiration Schedule Entry (CHGEXPSCDE)
- Display Expiration Schedule (DSPEXPSCD)
When you set it up to be deleted, additional parameters are also prompted that let you re-assign any objects owned by the profile when it is deleted. Under certain conditions, the profile may not be deleted if objects cannot be properly dealt with. A review of the IBM documentation or the HELP key will give you more information on this topic.
The display command will give you a list of profiles that are scheduled for expiration processing. You can choose to display the list or print it. When reviewing the list, if you see an entry that you want to cancel, just process another change command with *NONE as the new expiration date and it will be removed from the schedule. When you remove an entry, the OS nicely sends a notification message to the user profile that initially set up the schedule, so be on the lookout for those, just in case.
For users that are moving to different job positions, it is probably best for you to delete their current profile, then add a new profile. You can even keep the same profile name. Taking this approach will make sure that their current permissions are all revoked before you establish them with new responsibilities, permissions and authorities.
If you have any questions about this topic you can reach me at firstname.lastname@example.org. I'll try to answer any questions you may have. All email messages will be answered.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.