Send feedback | Rate this page

Analyzing user profiles

This topic describes how to analyze user profiles and provides step-by-step instructions. You can display or print a complete list of all the users on your system with the Display Authorized Users (DSPAUTUSR) command. The list can be sequenced by profile name or group profile name. Following is an example of the group profile sequence: Display Authorized Users Password User Last No Profile Changed Password

Group Profile DPTSM

Text

ANDERSOR VINCENTM DPTWH ANDERSOR WAGNERR QSECOFR JONESS HARRISOK *NO GROUP DPTSM DPTWH RICHARDS SMITHJ

08/04/0x 09/15/0x 08/04/0x 09/06/0x 09/20/0x 08/29/0x 09/05/0x 08/13/0x 09/05/0x 09/18/0x X X

Roger Anders Mark Vincent Roger Anders Rose Wagner Sharon Jones Ken Harrison Sales and Marketing Warehouse Janet Richards John Smith

Printing selected user profiles You can use the Display User Profile (DSPUSRPRF) command to create an output file, which you can process using a query tool. DSPUSRPRF USRPRF(*ALL) + TYPE(*BASIC) OUTPUT(*OUTFILE) You can use a query tool to create a variety of analysis reports of your output file, such as: A list of all users who have both *ALLOBJ and *SPLCTL special authority. A list of all users sequenced by a user profile field, such as initial program or user class.

You can create query programs to produce different reports from your output file. For example: List all user profiles that have any special authorities by selecting records where the field UPSPAU is not equal to *NONE. List all users who are allowed to enter commands by selecting records where the Limit capabilities field (called UPLTCP in the model database outfile) is equal to *NO or *PARTIAL. List all users who have a particular initial menu or initial program.

List inactive users by looking at the date last sign-on field. List all users who do not have a password for use at password levels 0 and 1 by selecting records where the Password present for level 0 or 1 field (called UPENPW in the model outfile) is equal to N. List all users who have a password for use at password levels 2 and 3 by selecting records where the Password present for level 2 or 3 field (called UPENPH in the model outfile) is equal to Y.

Examining large user profiles User profiles with large numbers of authorities, appearing to be randomly spread over most of the system, can reflect a lack of security planning. Following is one method for locating large user profiles and evaluating them: 1. the Display Object Description (DSPOBJD) command to create an output file containing information about all the user profiles on the system: 2. DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) + DETAIL(*BASIC) OUTPUT(*OUTFILE) 3. Create a query program to list the name and size of each user profile, in descending sequence by size. 4. Print detailed information about the largest user profiles and evaluate the authorities and owned objects to see if they are appropriate: 5. DSPUSRPRF USRPRF(user-profile-name) + 6. TYPE(*OBJAUT) OUTPUT(*PRINT)

7. DSPUSRPRF USRPRF(user-profile-name) + TYPE(*OBJOWN) OUTPUT(*PRINT) Some IBM-supplied user profiles are very large because of the number of objects they own. Listing and analyzing them is usually not necessary. However, you should check for programs adopting the authority of the IBM-supplied user profiles that have *ALLOBJ special authority, such as QSECOFR and QSYS. For more information, see "IBM-Supplied User Profiles" in the iSeries Security Reference. Parent topic: Planning security auditing