Disabling Inactive User Profiles
With the increased risk of cybersecurity incidents and data breaches,many corporations have
adopted a set of standard security practices including reducing risk by locating and disabling
inactive user accounts across the enterprise.
Previously on IBM i, the Analyze Profile Activity (ANZPRFACT) functionality was used by many
to find and disable user profiles that have not been used in a specified number of days. In a High
Availability environment, users typically only sign-in to the production system causing user profile
usage information to only be updated on the production system. After a switchover or failover in
this type of environment, when the ANZPRFACT processing runs on the new primary node,
many more users than just the inactive users are disabled, impacting the availability of the system
for many users.
PowerHA has introduced a new policy, QHA_AD_ANZCADPRF, and command (ANZCADPRF)
which analyzes and caches usage information across nodes in the PowerHA environment. This
capability enables users to meet security policies of disabling inactive profiles on all nodes while
avoiding auditing concerns that exist with other High Availability solutions.
Before you begin
To disable inactive user profiles successfully, the following requirements must be met:
The node executing the command must have a status of Active in the cluster.
The cluster administrative domain must exist and have a status of Active.
The following special authorities are required to run the ANZCADPRF command:
All object (*ALLOBJ)
Input/ Output system configuration (*IOSYSCFG)
Security administrator (*SECADM)
Procedure
Defining the QHA_AD_ANZCADPRF Policy
A QHA_AD_ANZCADPRF PowerHA policy must be defined for the administrative domain. This
policy must specify the number of days before a profile is considered inactive, and optionally can
specify profiles to always consider inactive.
The following command adds a policy for an administrative domain, ADMDMN, that indicates
profiles are considered inactive after 90 days:
If not already created, define an instance of the QHA_AD_ANZCADPRF PowerHA policy.
For example, from the command line add a policy for the administrative domain,
ADMDMN, that indicates profiles are considered inactive after 90 days:
ADDHAPCY PCY(QHA_AD_ANZCADPRF) PCYDMN(ADMDMN) QUAL(*NONE) VALUE('INACTDAYS(90)')Alternatively, if user profiles MYUSER1 and MYUSER2 should never be considered inactive, use the OMITPRF keyword to exclude these profiles:
ADDHAPCY PCY(QHA_AD_ANZCADPRF) PCYDMN(ADMDMN) QUAL(*NONE)
VALUE('INACTDAYS(90) OMITPRF(MYUSER1 MYUSER2')Tip: Many IBM supplied user profiles are already omitted by default. See the QHA_AD_ANZCADPRF policy for the list of profiles omitted by default.
Running the ANZCADPRF command
After adding a PowerHA policy, use the Analyze Cluster Administrative Domain Profile
(ANZCADPRF) command to enforce the policy and disable any inactive profiles across nodes in the same administrative domain as the node executing the command.
Run the ANZCADPRF command. This command can be run from any active node within the administrative domain:
ANZCADPRFImportant: The command ANZCADPRF should be scheduled to run at a regular interval with a job scheduler.
Results
All user profiles across all nodes within the administrative domain, including profiles not monitored by the administrative domain, are analyzed. Any inactive user profiles are disabled and messages are sent to the joblog and QSYSOPR message queue
Privacy Policy | Cookie Policy | Impressum
From time to time, this website may contain technical inaccuracies and we do not warrant the accuracy of any posted information.
Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.