Schedule availability of user profiles

You may want some user profiles to be available for sign-on only at certain times of the day or certain days of the week.

For example, if you have a profile set up for a security auditor, you may want to enable that user profile only during the hours that the auditor is scheduled to work. You might also want to disable user profiles with *ALLOBJ special authority (including the QSECOFR user profile) during off-hours.

You can use the Change Activation Schedule Entry (CHGACTSCDE) command to set up user profiles to be enabled and disabled automatically. For each user profile that you want to schedule, you create an entry that defines the user profile’s schedule.

For example, if you want the QSECOFR profile to be available only between 7 in the morning and 10 in the evening, you would type the following on the CHGACTSCDE display:

Figure 1. Schedule profile activation display—sample
         Change Activation Scd Entry (CHGACTSCDE) 

Type choices, press Enter. 

User profile . . . . . . . . . . > QSECOFR         Name 
Enable time  . . . . . . . . . . > '7:00'          Time, *NONE 
Disable time . . . . . . . . . . > '22:00'         Time, *NONE 
Days . . . . . . . . . . . . . . > *MON            *ALL, *MON, *TUE, *WED... 
                                 > *TUE 
                                 > *WED 
                                 > *THU 
               + for more values > *FRI

In fact, you might want to have the QSECOFR profile available only for a very limited number of hours each day. You can use another user profile with the *SECOFR class to perform most system functions. Thus, you avoid exposing a well-known user profile to hacking attempts.

You can use the Display Audit Journal Entries (DSPAUDJRNE) command periodically to print the CP (Change Profile) audit journal entries. Use these entries to verify that the system is enabling and disabling user profiles according to your planned schedule.

Another method for checking to ensure that user profiles are being disabled on your planned schedule is to use the Print User Profile (PRTUSRPRF) command. When you specify *PWDINFO for the report type, the report includes the status of each selected user profile. If, for example, you regularly disable all user profiles with *ALLOBJ special authority, you can schedule the following command to run immediately after the profiles are disabled: PRTUSRPRF TYPE(*PWDINFO) SELECT(*SPCAUT) SPCAUT(*ALLOBJ)

Parent topic: Manage security information