Delete userprofile : concequences

45 pts.
Tags:
iSeries
Users
WRKOBJOWN
An employee left the company so i wanted to delete his user profile on our iSeries. Doing so the system told me the user was the owner of some objects. I changed this with the WRKOBJOWN command and after that i could delete the profile. Now a few jobscd-entries couldn't start because these jobs used the user profile to start under. Maybe there are other sorts of jobs that will not start anymore So, which command or commands can give me a general overview of the objects i must check before deleting an user profile in the future ?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hi,

You can try the WRKOBJOWN command to see which objects are OWNED by a particular user, but this won’t tell you whether jobs are scheduled to run using that user profile. You may also have CL programs which submit jobs to run using specific profiles – which you would also have to search for using something like PDM.

You may also have things like FTP scripts which connect from other machines using specific profiles.

It’s difficult to give a list of all the places to look for this as there are so many places that user profiles can be used.

Regards,

Martin Gilbert.

============================================================

System auditing (and possibly job accounting) can be used to track profile activity. <i>Review of audit information</i> is necessary in order to know if the system is being used as it should be.

One issue is that the jobs shouldn’t have been scheduled under that profile to begin with. They should have been scheduled under an application profile rather than an individual’s profile. Review of audit info could have picked up on that before it became an issue.

One possible future action would be to leave the profile on the system for a length of time (set by some written policy). Use CHGUSRPRF to change the profile password to *NONE to block remote logon attempts. At the same time (or after some additional policy period), set the profile to *DISABLED. Monitor activity by that profile during the policy period to determine sources of usage. Ideally, you might retain the profile long enough to establish that it is not an integral part of a business-critical element such as “period close”.

When there is no evidence of activity, the profile could be deleted. Owned objects should be transferred to an appropriate profile — not an individual, but to some ‘application’ profile. You might make certain that a standard application owner profile exists. And you might create a secondary temp-owner profile for intermediate holding of ownership for these cases.

If control is exerted over objects such as the job scheduler, and they are monitored or reviewed, the situation shouldn’t arise in the future.

Tom

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following