DSAUSRPRF -- Disable User Profile

DSAUSRPRF DISABLE USER PROFILE TAASEDF
The Disable User Profile tool is designed for Assistant Security Officers to be able to disable a user profile. A typical command would be: DSAUSRPRF USRPRF(JONES) This would disable the users profile so that he could not signon. A batch job can still be run using the profile. The user of DSAUSRPRF must be authorized to the TAADSAPRF authorization list. DSAUSRPRF is an option on the SECOFR2 Assistant Security Officer menu. See the TAA Tool SECOFR2. The QSECOFR profile cannot be disabled. To specify additional user profiles that cannot be disabled, see the section on User Profile Exceptions. To provide for an audit trail of the use of the command, the following occurs: If the QAUDJRN journal exists, an entry is sent to it describing the use of DSAUSRPRF, the profile that was disabled, and the user that made the change. The entry type is DA. If the QAUDJRN journal does not exist, the same information as described for the journal entry is sent as a message to QHST. Use with the TAADPTSEC Authorization List ----------------------------------------- An alternative approach is to allow for multiple assistant security officers who can each manage a set of unique user profiles. This is called a 'Departmental Security Officer'. See the discussion of the TAADPTSEC authorization list in the SECOFR2 tool documentation. User Profile Exceptions CMD ----------------------- If you have 45 or less exceptions, the DSAUSRPRF data area in TAASECURE can be used to specify a list of additional profiles that cannot be disabled using the DSAUSRPRF command. The Security Officer can then use the following command to edit a list of additional user profiles that cannot be disabled: EDTCONARR DTAARA(TAASECURE/DSAUSRPRF) An Exception file also exists in TAASECURE (the DSAUSRPRF file). You may have user profile names in both the data area and the file or just in the data area or just in the file. The DSAUSRPRF command checks both objects and if the user profile exists, the command ends with the TAA9897 escape message. You can maintain the DSAUSRPRF file using 1) TAA EDTDBF command 2) Create a DFU application, or 3) your own technique. If using EDTDBF, enter the command: EDTDBF FILE(TAASECURE/DSAUSRPRF) EDTDBF allows you to enter new records, change existing records, delete records, etc. You may randomly access records in the file as well (use F14). Command parameters CMD ------------------ USRPRF The user profile to be disabled. Restrictions ------------ See the previous discussion. Prerequisites ------------- The following TAA Tools must be on your system: CONARR Constant array Implementation -------------- The tool is ready to use, but the user must be be authorized to the TAADSAPRF authorization list. For example, ADDAUTLE AUTL(TAADSAPRF) USER(xxx) AUT(USE) The Security Officer may also want to specify certain user profiles that cannot be changed by entering them into the DSAUSRPRF data area in TAASECURE. Use the command: EDTCONARR DTAARA(TAASECURE/DSAUSRPRF) You do not need to enter QSECOFR as it is always prevented. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- DSAUSRPRF CMD TAASEDF QATTCMD TAASEDFC PGM CLP TAASEDFC QATTCL DSAUSRPRF DTAARA The TAASEDFC program is created with USRPRF(*OWNER). The DSAUSRPRF data area exists in the TAASECURE library.

DSAUSRPRF       DISABLE USER PROFILE                   TAASEDF


The Disable User Profile tool is designed for Assistant Security
Officers to be able to disable a user profile.

A typical command would be:

         DSAUSRPRF  USRPRF(JONES)

This would disable the users profile so that he could not signon.  A
batch job can still be run using the profile.

The user of DSAUSRPRF must be authorized to the TAADSAPRF
authorization list.

DSAUSRPRF is an option on the SECOFR2 Assistant Security Officer
menu.  See the TAA Tool SECOFR2.

The QSECOFR profile cannot be disabled.

To specify additional user profiles that cannot be disabled, see the
section on User Profile Exceptions.

To provide for an audit trail of the use of the command, the
following occurs:

  **   If the QAUDJRN journal exists, an entry is sent to it
       describing the use of DSAUSRPRF, the profile that was
       disabled, and the user that made the change.  The entry type
       is DA.

  **   If the QAUDJRN journal does not exist, the same information as
       described for the journal entry is sent as a message to QHST.

Use with the TAADPTSEC Authorization List
-----------------------------------------

An alternative approach is to allow for multiple assistant security
officers who can each manage a set of unique user profiles.  This is
called a 'Departmental Security Officer'.  See the discussion of the
TAADPTSEC authorization list in the SECOFR2 tool documentation.

User Profile Exceptions                               *CMD
-----------------------

If you have 45 or less exceptions, the DSAUSRPRF data area in
TAASECURE can be used to specify a list of additional profiles that
cannot be disabled using the DSAUSRPRF command.  The Security Officer
can then use the following command to edit a list of additional user
profiles that cannot be disabled:

        EDTCONARR     DTAARA(TAASECURE/DSAUSRPRF)

An Exception file also exists in TAASECURE (the DSAUSRPRF file).  You
may have user profile names in both the data area and the file or
just in the data area or just in the file.  The DSAUSRPRF command
checks both objects and if the user profile exists, the command ends
with the TAA9897 escape message.

You can maintain the DSAUSRPRF file using 1) TAA EDTDBF command 2)
Create a DFU application, or 3) your own technique.

If using EDTDBF, enter the command:

             EDTDBF     FILE(TAASECURE/DSAUSRPRF)

EDTDBF allows you to enter new records, change existing records,
delete records, etc.  You may randomly access records in the file as
well (use F14).

Command parameters                                    *CMD
------------------

   USRPRF        The user profile to be disabled.

Restrictions
------------

See the previous discussion.

Prerequisites
-------------

The following TAA Tools must be on your system:

     CONARR       Constant array

Implementation
--------------

The tool is ready to use, but the user must be be authorized to the
TAADSAPRF authorization list.  For example,

      ADDAUTLE   AUTL(TAADSAPRF) USER(xxx) AUT(*USE)

The Security Officer may also want to specify certain user profiles
that cannot be changed by entering them into the DSAUSRPRF data area
in TAASECURE.  Use the command:

        EDTCONARR    DTAARA(TAASECURE/DSAUSRPRF)

You do not need to enter QSECOFR as it is always prevented.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   DSAUSRPRF     *CMD                   TAASEDF       QATTCMD
   TAASEDFC      *PGM       CLP         TAASEDFC      QATTCL
   DSAUSRPRF     *DTAARA

The TAASEDFC program is created with USRPRF(*OWNER).

The DSAUSRPRF data area exists in the TAASECURE library.

Added to TAA Productivity tools May 1, 1996

Home Page

Up to Top