Get started Bring yourself up to speed with our introductory content.

Maintaining user profiles boosts iSeries security

Keeping user profiles current is necessary to IBM System i (iSeries, AS400) security. iSeries security expert Richard Loeber offers news and advice about maintaining user profiles.

Rich Loeber
Part of the security plan for your IBM System i (iSeries, AS400) processor includes keeping your user profiles current. For new employees, this is easy since they can't work until a profile is created. When this happens, you can take the time necessary to get each user set up correctly so that they meet your security goals and don't have any additional, unnecessary authority on your system.

Cooperation with HR key to iSeries security and user profiles

The problem with maintaining user profiles on your system, however, often comes up when people change jobs or leave your company altogether. When this happens, it really requires the full cooperation of your HR department. In my experience, an active network of spies is also helpful (using the word "spy" in the best of senses, of course). You can often find out about personnel changes from your network well in advance of any official notification from HR.

Since the notification process can easily break down, it is very important that all of your user profiles have built in automatic expiration dates. This is done using the "Password expiration interval" (PWDEXPITV) associated with each user profile. I generally recommend that you set this to 60 days, but your security policy may want that done more frequently. With this approach, when someone leaves their profile will automatically expire within this set period of time.

More on iSeries security:
iSeries security -- Fact or Fiction?

Managing user profiles
However, relying on this passive approach does not deliver the most secure environment. Your best bet is to stay ahead of the curve by having a good working relationship with your HR group and finding out about changes BEFORE they happen.

IBM System i user profile tools

The System i OS has some nice tools available that will help you with staying ahead of personnel changes. When you know someone is going to be leaving, you can set up their user profile to be disabled on the system on a given date. You can also work with the scheduled changes that are already pending and remove them if changes occur in any termination plans.

The commands you need to use this feature are:

  • Change Expiration Schedule Entry (CHGEXPSCDE)
  • Display Expiration Schedule (DSPEXPSCD)
The change command lets you enter a user profile, or list of profiles, that you want to expire at a set future date. You can choose to either disable the profile or delete it altogether.

When you set it up to be deleted, additional parameters are also prompted that let you re-assign any objects owned by the profile when it is deleted. Under certain conditions, the profile may not be deleted if objects cannot be properly dealt with. A review of the IBM documentation or the HELP key will give you more information on this topic.

The display command will give you a list of profiles that are scheduled for expiration processing. You can choose to display the list or print it. When reviewing the list, if you see an entry that you want to cancel, just process another change command with *NONE as the new expiration date and it will be removed from the schedule. When you remove an entry, the OS nicely sends a notification message to the user profile that initially set up the schedule, so be on the lookout for those, just in case.

For users that are moving to different job positions, it is probably best for you to delete their current profile, then add a new profile. You can even keep the same profile name. Taking this approach will make sure that their current permissions are all revoked before you establish them with new responsibilities, permissions and authorities.

If you have any questions about this topic you can reach me at I'll try to answer any questions you may have. All email messages will be answered.

About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Dig Deeper on Security Tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.