ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvanalyzeuserprof.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Analyze user profiles" />
<meta name="abstract" content="This article describes how to analyze user profiles and provides step-by-step instructions." />
<meta name="description" content="This article describes how to analyze user profiles and provides step-by-step instructions." />
<meta name="DC.Relation" scheme="URI" content="rzamvplansecauditing.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="analyzeuserprof" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Analyze user profiles</title>
</head>
<body id="analyzeuserprof"><a name="analyzeuserprof"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Analyze user profiles</h1>
<div><p>This article describes how to analyze user profiles and provides
step-by-step instructions.</p>
<p>You can display or print a complete list of all the users on your system
with the Display Authorized Users (DSPAUTUSR) command. The list can be sequenced
by profile name or group profile name. Following is an example of the group
profile sequence:</p>
<pre class="screen">              Display Authorized Users
                   Password 
Group     User      Last      No 
Profile   Profile   Changed   Password  Text 

DPTSM     
          ANDERSOR  08/04/0x            Roger Anders 
          VINCENTM  09/15/0x            Mark Vincent 
DPTWH     
          ANDERSOR  08/04/0x            Roger Anders 
          WAGNERR   09/06/0x            Rose Wagner 
QSECOFR 
          JONESS    09/20/0x            Sharon Jones 
          HARRISOK  08/29/0x            Ken Harrison 
*NO GROUP 
          DPTSM     09/05/0x    X       Sales and Marketing
          DPTWH     08/13/0x    X       Warehouse 
          RICHARDS  09/05/0x            Janet Richards 
          SMITHJ    09/18/0x            John Smith</pre>
<p><strong>Print selected user profiles</strong></p>
<div class="p">You can use the Display User Profile (DSPUSRPRF) command to create an output
file, which you can process using a query tool.<pre>DSPUSRPRF USRPRF(*ALL) + 
          TYPE(*BASIC) OUTPUT(*OUTFILE)</pre>
</div>
<div class="p">You can use a query tool to create a variety of analysis reports of your
output file, such as: <ul><li>A list of all users who have both *ALLOBJ and *SPLCTL special authority.</li>
<li>A list of all users sequenced by a user profile field, such as initial
program or user class.</li>
</ul>
 </div>
<div class="p">You can create query programs to produce different reports from your output
file. For example: <ul><li>List all user profiles that have any special authorities by selecting
records where the field UPSPAU is not equal to *NONE.</li>
<li>List all users who are allowed to enter commands by selecting records
where the Limit capabilities field (called UPLTCP in the model database outfile)
is equal to *NO or *PARTIAL.</li>
<li>List all users who have a particular initial menu or initial program.</li>
<li>List inactive users by looking at the date last sign-on field.</li>
<li>List all users who do not have a password for use at password levels 0
and 1 by selecting records where the Password present for level 0 or 1 field
(called UPENPW in the model outfile) is equal to N.</li>
<li>List all users who have a password for use at password levels 2 and 3
by selecting records where the Password present for level 2 or 3 field (called
UPENPH in the model outfile) is equal to Y.</li>
</ul>
 </div>
<p><strong>Examine large user profiles</strong></p>
<div class="p">User profiles with large numbers of authorities, appearing to be randomly
spread over most of the system, can reflect a lack of security planning. Following
is one method for locating large user profiles and evaluating them:<ol><li>the Display Object Description (DSPOBJD) command to create an output file
containing information about all the user profiles on the system:<pre>DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) + 
        DETAIL(*BASIC) OUTPUT(*OUTFILE)</pre>
</li>
<li>Create a query program to list the name and size of each user profile,
in descending sequence by size.</li>
<li>Print detailed information about the largest user profiles and evaluate
the authorities and owned objects to see if they are appropriate:<pre>DSPUSRPRF USRPRF(<var class="varname">user-profile-name</var>) + 
          TYPE(*OBJAUT) OUTPUT(*PRINT) 
DSPUSRPRF USRPRF(<var class="varname">user-profile-name</var>) + 
          TYPE(*OBJOWN) OUTPUT(*PRINT)</pre>
<p>Some IBM-supplied user
profiles are very large because of the number of objects they own. Listing
and analyzing them is usually not necessary. However, you should check for
programs adopting the authority of the IBM-supplied user profiles that have
*ALLOBJ special authority, such as QSECOFR and QSYS.</p>
</li>
</ol>
</div>
<p>For more information, see <span class="q">"IBM-Supplied User Profiles"</span> in the <a href="../rzahg/rzahgsecref.htm">iSeries
Security Reference</a>.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplansecauditing.htm" title="Use this information to plan security auditing for your systems.">Plan security auditing</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="concept" />`
			`<meta name="DC.Title" content="Analyze user profiles" />`
			`<meta name="abstract" content="This article describes how to analyze user profiles and provides step-by-step instructions." />`
			`<meta name="description" content="This article describes how to analyze user profiles and provides step-by-step instructions." />`
			`<meta name="DC.Relation" scheme="URI" content="rzamvplansecauditing.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="analyzeuserprof" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Analyze user profiles</title>`
			`</head>`
			`<body id="analyzeuserprof"><a name="analyzeuserprof"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Analyze user profiles</h1>`
			`<div><p>This article describes how to analyze user profiles and provides`
			`step-by-step instructions.</p>`
			`<p>You can display or print a complete list of all the users on your system`
			`with the Display Authorized Users (DSPAUTUSR) command. The list can be sequenced`
			`by profile name or group profile name. Following is an example of the group`
			`profile sequence:</p>`
			`<pre class="screen"> Display Authorized Users`
			`Password`
			`Group User Last No`
			`Profile Profile Changed Password Text`

			`DPTSM`
			`ANDERSOR 08/04/0x Roger Anders`
			`VINCENTM 09/15/0x Mark Vincent`
			`DPTWH`
			`ANDERSOR 08/04/0x Roger Anders`
			`WAGNERR 09/06/0x Rose Wagner`
			`QSECOFR`
			`JONESS 09/20/0x Sharon Jones`
			`HARRISOK 08/29/0x Ken Harrison`
			`*NO GROUP`
			`DPTSM 09/05/0x X Sales and Marketing`
			`DPTWH 08/13/0x X Warehouse`
			`RICHARDS 09/05/0x Janet Richards`
			`SMITHJ 09/18/0x John Smith</pre>`
			`<p><strong>Print selected user profiles</strong></p>`
			`<div class="p">You can use the Display User Profile (DSPUSRPRF) command to create an output`
			`file, which you can process using a query tool.<pre>DSPUSRPRF USRPRF(*ALL) +`
			`TYPE(BASIC) OUTPUT(OUTFILE)</pre>`
			`</div>`
			`<div class="p">You can use a query tool to create a variety of analysis reports of your`
			`output file, such as: <ul><li>A list of all users who have both ALLOBJ and SPLCTL special authority.</li>`
			`<li>A list of all users sequenced by a user profile field, such as initial`
			`program or user class.</li>`
			`</ul>`
			`</div>`
			`<div class="p">You can create query programs to produce different reports from your output`
			`file. For example: <ul><li>List all user profiles that have any special authorities by selecting`
			`records where the field UPSPAU is not equal to *NONE.</li>`
			`<li>List all users who are allowed to enter commands by selecting records`
			`where the Limit capabilities field (called UPLTCP in the model database outfile)`
			`is equal to NO or PARTIAL.</li>`
			`<li>List all users who have a particular initial menu or initial program.</li>`
			`<li>List inactive users by looking at the date last sign-on field.</li>`
			`<li>List all users who do not have a password for use at password levels 0`
			`and 1 by selecting records where the Password present for level 0 or 1 field`
			`(called UPENPW in the model outfile) is equal to N.</li>`
			`<li>List all users who have a password for use at password levels 2 and 3`
			`by selecting records where the Password present for level 2 or 3 field (called`
			`UPENPH in the model outfile) is equal to Y.</li>`
			`</ul>`
			`</div>`
			`<p><strong>Examine large user profiles</strong></p>`
			`<div class="p">User profiles with large numbers of authorities, appearing to be randomly`
			`spread over most of the system, can reflect a lack of security planning. Following`
			`is one method for locating large user profiles and evaluating them:<ol><li>the Display Object Description (DSPOBJD) command to create an output file`
			`containing information about all the user profiles on the system:<pre>DSPOBJD OBJ(ALL) OBJTYPE(USRPRF) +`
			`DETAIL(BASIC) OUTPUT(OUTFILE)</pre>`
			`</li>`
			`<li>Create a query program to list the name and size of each user profile,`
			`in descending sequence by size.</li>`
			`<li>Print detailed information about the largest user profiles and evaluate`
			`the authorities and owned objects to see if they are appropriate:<pre>DSPUSRPRF USRPRF(<var class="varname">user-profile-name</var>) +`
			`TYPE(OBJAUT) OUTPUT(PRINT)`
			`DSPUSRPRF USRPRF(<var class="varname">user-profile-name</var>) +`
			`TYPE(OBJOWN) OUTPUT(PRINT)</pre>`
			`<p>Some IBM-supplied user`
			`profiles are very large because of the number of objects they own. Listing`
			`and analyzing them is usually not necessary. However, you should check for`
			`programs adopting the authority of the IBM-supplied user profiles that have`
			`*ALLOBJ special authority, such as QSECOFR and QSYS.</p>`
			`</li>`
			`</ol>`
			`</div>`
			`<p>For more information, see <span class="q">"IBM-Supplied User Profiles"</span> in the <a href="../rzahg/rzahgsecref.htm">iSeries`
			`Security Reference</a>.</p>`
			`</div>`
			`<div>`
			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplansecauditing.htm" title="Use this information to plan security auditing for your systems.">Plan security auditing</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`