Analyze user profiles

This article describes how to analyze user profiles and provides step-by-step instructions.

You can display or print a complete list of all the users on your system with the Display Authorized Users (DSPAUTUSR) command. The list can be sequenced by profile name or group profile name. Following is an example of the group profile sequence:

              Display Authorized Users
                   Password 
Group     User      Last      No 
Profile   Profile   Changed   Password  Text 

DPTSM     
          ANDERSOR  08/04/0x            Roger Anders 
          VINCENTM  09/15/0x            Mark Vincent 
DPTWH     
          ANDERSOR  08/04/0x            Roger Anders 
          WAGNERR   09/06/0x            Rose Wagner 
QSECOFR 
          JONESS    09/20/0x            Sharon Jones 
          HARRISOK  08/29/0x            Ken Harrison 
*NO GROUP 
          DPTSM     09/05/0x    X       Sales and Marketing
          DPTWH     08/13/0x    X       Warehouse 
          RICHARDS  09/05/0x            Janet Richards 
          SMITHJ    09/18/0x            John Smith

Print selected user profiles

You can use the Display User Profile (DSPUSRPRF) command to create an output file, which you can process using a query tool.

DSPUSRPRF USRPRF(*ALL) + 
          TYPE(*BASIC) OUTPUT(*OUTFILE)

You can use a query tool to create a variety of analysis reports of your output file, such as:

A list of all users who have both *ALLOBJ and *SPLCTL special authority.
A list of all users sequenced by a user profile field, such as initial program or user class.

You can create query programs to produce different reports from your output file. For example:

List all user profiles that have any special authorities by selecting records where the field UPSPAU is not equal to *NONE.
List all users who are allowed to enter commands by selecting records where the Limit capabilities field (called UPLTCP in the model database outfile) is equal to *NO or *PARTIAL.
List all users who have a particular initial menu or initial program.
List inactive users by looking at the date last sign-on field.
List all users who do not have a password for use at password levels 0 and 1 by selecting records where the Password present for level 0 or 1 field (called UPENPW in the model outfile) is equal to N.
List all users who have a password for use at password levels 2 and 3 by selecting records where the Password present for level 2 or 3 field (called UPENPH in the model outfile) is equal to Y.

Examine large user profiles

User profiles with large numbers of authorities, appearing to be randomly spread over most of the system, can reflect a lack of security planning. Following is one method for locating large user profiles and evaluating them:

the Display Object Description (DSPOBJD) command to create an output file containing information about all the user profiles on the system:
```
DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) + 
        DETAIL(*BASIC) OUTPUT(*OUTFILE)
```
Create a query program to list the name and size of each user profile, in descending sequence by size.
Print detailed information about the largest user profiles and evaluate the authorities and owned objects to see if they are appropriate:
```
DSPUSRPRF USRPRF(user-profile-name) + 
          TYPE(*OBJAUT) OUTPUT(*PRINT) 
DSPUSRPRF USRPRF(user-profile-name) + 
          TYPE(*OBJOWN) OUTPUT(*PRINT)
```
Some IBM-supplied user profiles are very large because of the number of objects they own. Listing and analyzing them is usually not necessary. However, you should check for programs adopting the authority of the IBM-supplied user profiles that have *ALLOBJ special authority, such as QSECOFR and QSYS.

For more information, see "IBM-Supplied User Profiles" in the iSeries Security Reference.