Disabling Inactive User Profiles

Owned by Brian Nordland
Last updated: May 24, 2024
3 min read

With the increased risk of cybersecurity incidents and data breaches,many corporations have
adopted a set of standard security practices including reducing risk by locating and disabling
inactive user accounts across the enterprise.

Previously on IBM i, the Analyze Profile Activity (ANZPRFACT) functionality was used by many
to find and disable user profiles that have not been used in a specified number of days. In a High
Availability environment, users typically only sign-in to the production system causing user profile
usage information to only be updated on the production system. After a switchover or failover in
this type of environment, when the ANZPRFACT processing runs on the new primary node,
many more users than just the inactive users are disabled, impacting the availability of the system
for many users.

PowerHA has introduced a new policy, QHA_AD_ANZCADPRF, and command (ANZCADPRF)
which analyzes and caches usage information across nodes in the PowerHA environment. This
capability enables users to meet security policies of disabling inactive profiles on all nodes while
avoiding auditing concerns that exist with other High Availability solutions.

This process replaces the ANZPRFACT process in your environment. The ANZPRFACT command works in very different way from the ANZCADPRF process. See the section titled Migrating from the ANZPRFACT Process for additional information.

Before you begin

To disable inactive user profiles successfully, the following requirements must be met:

  • The node executing the command must have a status of Active in the cluster.

  • The cluster administrative domain must exist and have a status of Active.

  • The following special authorities are required to run the ANZCADPRF command:

    • All object (*ALLOBJ)

    • Input/ Output system configuration (*IOSYSCFG)

    • Security administrator (*SECADM)

Procedure

Defining the QHA_AD_ANZCADPRF Policy

A QHA_AD_ANZCADPRF PowerHA policy must be defined for the administrative domain. This
policy must specify the number of days before a profile is considered inactive, and optionally can
specify profiles to always consider inactive.

The following command adds a policy for an administrative domain, ADMDMN, that indicates
profiles are considered inactive after 90 days:

If not already created, define an instance of the QHA_AD_ANZCADPRF PowerHA policy.
For example, from the command line add a policy for the administrative domain,
ADMDMN, that indicates profiles are considered inactive after 90 days:

ADDHAPCY PCY(QHA_AD_ANZCADPRF) PCYDMN(ADMDMN) QUAL(*NONE) VALUE('INACTDAYS(90)')

Alternatively, if user profiles MYUSER1 and MYUSER2 should never be considered inactive, use the OMITPRF keyword to exclude these profiles:

ADDHAPCY PCY(QHA_AD_ANZCADPRF) PCYDMN(ADMDMN) QUAL(*NONE) VALUE('INACTDAYS(90) OMITPRF(MYUSER1 MYUSER2')

Tip: Many IBM supplied user profiles are already omitted by default. See the QHA_AD_ANZCADPRF policy for the list of profiles omitted by default.

Running the ANZCADPRF command

After adding a PowerHA policy, use the Analyze Cluster Administrative Domain Profile
(ANZCADPRF) command to enforce the policy and disable any inactive profiles across nodes in the same administrative domain as the node executing the command.

Run the ANZCADPRF command. This command can be run from any active node within the administrative domain:

ANZCADPRF

Important: The command ANZCADPRF should be scheduled to run at a regular interval with a job scheduler. This command only needs to be run on a single node within the administrative domain.

Results

All user profiles across all nodes within the administrative domain, including profiles not monitored by the administrative domain, are analyzed. Any inactive user profiles are disabled and messages are sent to the joblog and QSYSOPR message queue

Migrating from the ANZPRFACT Process

If the environment was previously using the ANZPRFACT process for disabling inactive profiles, the following section provides additional information on the differences and the migration process.

The operating system supplied ANZPRFACT command, combined with the CHGACTPRFL comamnds allows for specifying the user profiles to omit and inactive days and will also create a scheduled job entry for disabling inactive profiles. The PowerHA ANZCADPRF command works in a different way in that the QHA_AD_ANZCADPRF policy is used to specify profiles to omit and inactive days, and the ANZCADPRF command should be run from a job scheduler.

The following steps serve as a guide for migrating from the ANZPRFACT command:

  1. Remove the scheduled job entry from your job scheduler on all nodes within the administrative domain.

  2. Create a QHA_AD_ANZCADPRF PowerHA policy specifying the number of days before a profile is considered inactive, along with the list of profiles to omit.

  3. Schedule the ANZCADPRF command to run.

 

Privacy Policy | Cookie Policy | Impressum
From time to time, this website may contain technical inaccuracies and we do not warrant the accuracy of any posted information.
Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.