<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Analyze user profiles" />
<meta name="abstract" content="This article describes how to analyze user profiles and provides step-by-step instructions." />
<meta name="description" content="This article describes how to analyze user profiles and provides step-by-step instructions." />
<meta name="DC.Relation" scheme="URI" content="rzamvplansecauditing.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="analyzeuserprof" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Analyze user profiles</title>
</head>
<body id="analyzeuserprof"><a name="analyzeuserprof"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Analyze user profiles</h1>
<div><p>This article describes how to analyze user profiles and provides
step-by-step instructions.</p>
<p>You can display or print a complete list of all the users on your system
with the Display Authorized Users (DSPAUTUSR) command. The list can be sequenced
by profile name or group profile name. Following is an example of the group
profile sequence:</p>
<pre class="screen"> Display Authorized Users
Password
Group User Last No
Profile Profile Changed Password Text
DPTSM
ANDERSOR 08/04/0x Roger Anders
VINCENTM 09/15/0x Mark Vincent
DPTWH
ANDERSOR 08/04/0x Roger Anders
WAGNERR 09/06/0x Rose Wagner
QSECOFR
JONESS 09/20/0x Sharon Jones
HARRISOK 08/29/0x Ken Harrison
*NO GROUP
DPTSM 09/05/0x X Sales and Marketing
DPTWH 08/13/0x X Warehouse
RICHARDS 09/05/0x Janet Richards
SMITHJ 09/18/0x John Smith</pre>
<p><strong>Print selected user profiles</strong></p>
<div class="p">You can use the Display User Profile (DSPUSRPRF) command to create an output
file, which you can process using a query tool.<pre>DSPUSRPRF USRPRF(*ALL) +
TYPE(*BASIC) OUTPUT(*OUTFILE)</pre>
</div>
<div class="p">You can use a query tool to create a variety of analysis reports of your
output file, such as: <ul><li>A list of all users who have both *ALLOBJ and *SPLCTL special authority.</li>
<li>A list of all users sequenced by a user profile field, such as initial
program or user class.</li>
</ul>
</div>
<div class="p">You can create query programs to produce different reports from your output
file. For example: <ul><li>List all user profiles that have any special authorities by selecting
records where the field UPSPAU is not equal to *NONE.</li>
<li>List all users who are allowed to enter commands by selecting records
where the Limit capabilities field (called UPLTCP in the model database outfile)
is equal to *NO or *PARTIAL.</li>
<li>List all users who have a particular initial menu or initial program.</li>
<li>List inactive users by looking at the date last sign-on field.</li>
<li>List all users who do not have a password for use at password levels 0
and 1 by selecting records where the Password present for level 0 or 1 field
(called UPENPW in the model outfile) is equal to N.</li>
<li>List all users who have a password for use at password levels 2 and 3
by selecting records where the Password present for level 2 or 3 field (called
UPENPH in the model outfile) is equal to Y.</li>
</ul>
</div>
<p><strong>Examine large user profiles</strong></p>
<div class="p">User profiles with large numbers of authorities, appearing to be randomly
spread over most of the system, can reflect a lack of security planning. Following
is one method for locating large user profiles and evaluating them:<ol><li>the Display Object Description (DSPOBJD) command to create an output file
containing information about all the user profiles on the system:<pre>DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) +
DETAIL(*BASIC) OUTPUT(*OUTFILE)</pre>
</li>
<li>Create a query program to list the name and size of each user profile,
in descending sequence by size.</li>
<li>Print detailed information about the largest user profiles and evaluate
the authorities and owned objects to see if they are appropriate:<pre>DSPUSRPRF USRPRF(<var class="varname">user-profile-name</var>) +
TYPE(*OBJAUT) OUTPUT(*PRINT)
DSPUSRPRF USRPRF(<var class="varname">user-profile-name</var>) +
TYPE(*OBJOWN) OUTPUT(*PRINT)</pre>
<p>Some IBM-supplied user
profiles are very large because of the number of objects they own. Listing
and analyzing them is usually not necessary. However, you should check for
programs adopting the authority of the IBM-supplied user profiles that have
*ALLOBJ special authority, such as QSECOFR and QSYS.</p>
</li>
</ol>
</div>
<p>For more information, see <span class="q">"IBM-Supplied User Profiles"</span> in the <a href="../rzahg/rzahgsecref.htm">iSeries
Security Reference</a>.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplansecauditing.htm" title="Use this information to plan security auditing for your systems.">Plan security auditing</a></div>
</div>
</div>
</body>
</html>