Manage Learn to apply best practices and optimize your operations.

Watch your profiles

How to monitor changes to user profiles.

The user profile is your first line of defense in the ongoing battle of protecting your system. When a new employee shows up for work, you go to great lengths to get their profile set up just right. You make sure that they get access to the menus they need to get their work done and you set up their object access accordingly. If you've been at this a while, you probably already have a mental checklist of all the things that you need to do for a new user in each department or work group in your shop.

But what about subsequent changes to those profiles? Are you watching these updates to make sure that your carefully engineered security scheme is being maintained over the life of each user profile?

In OS/400, there are a couple of ways that you can monitor this.

First, you can use the security audit journal as an after-the-fact review process for user profile changes and updates. To run this report, use the Display Audit Journal Entries (DSPAUDJRNE) command. Prompt the command using the F4 key and select the entry type code CP (Change user profile entries). The resulting report will show you at least some of the user profile change activity for the selected period of time on your system.

If you want more immediate information about user profile changes, then the only alternative is for you to code an exit program. There are four possible exit points that you can use on the system to track user profile activity:

QIBM_QSY_CRT_PROFILE Create User Profile
QIBM_QSY_CHG_PROFILE Change User Profile
QIBM_QSY_DLT_PROFILE Delete User Profile
QIBM_QSY_RST_PROFILE Restore User Profile

An exit point is a marker in OS/400 where you can attach your own program. OS/400 calls your program, passing parameters, during the process of working with these four user profile events. You can then code your program to meet your specific needs. This can include online notification, detailed change tracking, rules enforcement and more. You can even pass a return code back to the exit point indicating that the profile change should be disallowed.

You will find more details about creating exit programs to work with these user profile exit points in the iSeries Security Reference manual. Registering your program can be done using the Work with Registration Information (WRKREGINF) command. You will see many exit points displayed, be sure to limit your changes to the specific exits named above.

If you have any questions about this topic, you can reach me at, I'll give it my best shot. All e-mail messages will be answered.

Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, NY. The company is a provider of various security products for the iSeries market.


Each user profile on your system is a window, of sorts, into the computing environment for your business. Some profiles have a very narrow and limited view while others have a panoramic scene before them. As a security officer, you've probably given this a lot of thought already and have your profiles set up with the exact permissions necessary. But that's not always enough. In this tip, Rich explains how you can limit user profiles.

Don't let everything you learned about the principals of testing fall by the wayside in your current position. Security testing is just as important as application testing. In this tip, Rich Loeber takes a look at testing your user profiles.

This member wanted users to have the ability to "start" their own writers, but he wanted to restrict them from viewing other people's outqs. What is the best way to go about this? Security expert Carol Woodbury explains.

Not surprisingly, security is even more of an issue this year -- especially with Sarbanes-Oxley compliance deadlines. Here are 10 hot tips to ensure your security is all it can be.

Dig Deeper on iSeries system and application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.