<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Remove user profiles automatically" />
<meta name="abstract" content="Your system should contain only user profiles that are necessary. An unnecessary user profile may provide unauthorized entry to your system. If you no longer need a user profile because the user either has left or has taken a different job within the organization, remove the user profile." />
<meta name="description" content="Your system should contain only user profiles that are necessary. An unnecessary user profile may provide unauthorized entry to your system. If you no longer need a user profile because the user either has left or has taken a different job within the organization, remove the user profile." />
<meta name="DC.Relation" scheme="URI" content="rzamvremoveuser.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="userprofremove" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Remove user profiles automatically</title>
</head>
<body id="userprofremove"><a name="userprofremove"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Remove user profiles automatically</h1>
<div><p>Your system should contain only user profiles that are necessary.
An unnecessary user profile may provide unauthorized entry to your system.
If you no longer need a user profile because the user either has left or has
taken a different job within the organization, remove the user profile.</p>
<p>You can use the Change Expiration Schedule Entry (<span class="cmdname">CHGEXPSCDE</span>)
command to manage the removing or disabling of user profiles. If you know
that a user is leaving for an extended period, you can schedule the user profile
to be removed or disabled. </p>
<p>The first time that you use the <span class="cmdname">CHGEXPSCDE</span> command,
it creates a job schedule entry that runs at 1 minute after midnight every
day. The job looks at the QASECEXP file to determine whether any user profiles
are scheduled for removal on that day. </p>
<p>With the <span class="cmdname">CHGEXPSCDE</span> command, you either disable or delete
a user profile. If you choose to delete a user profile, you must specify what
the system will do with the objects that the user owns. Before you schedule
a user profile for deletion, you need to research the objects that the user
owns. For example, if the user owns programs that adopt authority, do you
want those programs to adopt the ownership of the new owner? Or does the new
owner have more authority than necessary (such as special authority)? Perhaps,
you need to create a new user profile with specific authorities to own the
programs that need to adopt authority. </p>
<p>You also need to research whether any application problems will occur if
you delete the user profile. For example, do any job descriptions specify
the user profile as the default user? </p>
<p>You can use the Display Expiration Schedule (<span class="cmdname">DSPEXPSCD</span>)
command to display the list of profiles that are scheduled to be disabled
or removed. You can use the Display Authorized Users (DSPAUTUSR) command to
list all of the user profiles on your system. Use the Delete User Profile
(<span class="cmdname">DLTUSRPRF</span>) command to delete outdated profiles.</p>
<div class="note"><span class="notetitle">Security note:</span> You <u>disable</u> a user profile
by setting its status to *DISABLED. When you disable a user profile, you make
it unavailable for interactive use. You cannot sign on with or change your
job to a disabled user profile. Batch jobs can run under a user profile that
is disabled.</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvremoveuser.htm" title="This article describes how to remove a user from the system, explains why it is important, and provides step-by-step instructions.">Remove a user from the system</a></div>
</div>
</div>
</body>
</html>