Академический Документы
Профессиональный Документы
Культура Документы
Text
ANDERSOR VINCENTM DPTWH ANDERSOR WAGNERR QSECOFR JONESS HARRISOK *NO GROUP DPTSM DPTWH RICHARDS SMITHJ
08/04/0x 09/15/0x 08/04/0x 09/06/0x 09/20/0x 08/29/0x 09/05/0x 08/13/0x 09/05/0x 09/18/0x X X
Roger Anders Mark Vincent Roger Anders Rose Wagner Sharon Jones Ken Harrison Sales and Marketing Warehouse Janet Richards John Smith
Printing selected user profiles You can use the Display User Profile (DSPUSRPRF) command to create an output file, which you can process using a query tool. DSPUSRPRF USRPRF(*ALL) + TYPE(*BASIC) OUTPUT(*OUTFILE) You can use a query tool to create a variety of analysis reports of your output file, such as: A list of all users who have both *ALLOBJ and *SPLCTL special authority. A list of all users sequenced by a user profile field, such as initial program or user class.
You can create query programs to produce different reports from your output file. For example: List all user profiles that have any special authorities by selecting records where the field UPSPAU is not equal to *NONE. List all users who are allowed to enter commands by selecting records where the Limit capabilities field (called UPLTCP in the model database outfile) is equal to *NO or *PARTIAL. List all users who have a particular initial menu or initial program.
List inactive users by looking at the date last sign-on field. List all users who do not have a password for use at password levels 0 and 1 by selecting records where the Password present for level 0 or 1 field (called UPENPW in the model outfile) is equal to N. List all users who have a password for use at password levels 2 and 3 by selecting records where the Password present for level 2 or 3 field (called UPENPH in the model outfile) is equal to Y.
Examining large user profiles User profiles with large numbers of authorities, appearing to be randomly spread over most of the system, can reflect a lack of security planning. Following is one method for locating large user profiles and evaluating them: 1. the Display Object Description (DSPOBJD) command to create an output file containing information about all the user profiles on the system: 2. DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) + DETAIL(*BASIC) OUTPUT(*OUTFILE) 3. Create a query program to list the name and size of each user profile, in descending sequence by size. 4. Print detailed information about the largest user profiles and evaluate the authorities and owned objects to see if they are appropriate: 5. DSPUSRPRF USRPRF(user-profile-name) + 6. TYPE(*OBJAUT) OUTPUT(*PRINT)
7. DSPUSRPRF USRPRF(user-profile-name) + TYPE(*OBJOWN) OUTPUT(*PRINT) Some IBM-supplied user profiles are very large because of the number of objects they own. Listing and analyzing them is usually not necessary. However, you should check for programs adopting the authority of the IBM-supplied user profiles that have *ALLOBJ special authority, such as QSECOFR and QSYS. For more information, see "IBM-Supplied User Profiles" in the iSeries Security Reference. Parent topic: Planning security auditing