Re: NetServer

On 06-Jul-2016 10:36 -0500, Dave DeBoe wrote:

We did see in QSYSOPR and the QHST log that QSECOFR was the profile
used to end the Netserver jobs. However, when I looked at the
previous sign-on field on the user profile QSECOFR, it had not been
used to sign onto our server for over three months prior to this
incident happening, so that tells me that QSECOFR was not used to
sign on to our iSeries server the day the Netserver went down. That
is where my problem lies.

A user can effect action without having established a[n interactive] signon, which is what the "Previous sign-on" detail of the Display User Profile (DSPUSRPRF) reveals. A non-interactive job can be started, or the current-user of a job can be established for a job, for which that job then can be identified with that current user, as having been responsible for ending a job.

There is instead the possibility of the Last Used Date available from the Display Object Description (DSPOBJD) command -- that can be run against the user profile [in this case, QSECOFR]. However in the past, the only actions that [were documented to] update that field for the User Profile (USRPRF) object were each of:

[https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rbam6/detob.htm]
_Detecting unused objects on the system_
"…
• When a job is initiated for the profile
• When the profile is a group profile and a job is started using a member of the group
• Grant User Authority (GRTUSRAUT) command (for referenced profile)
…"

I seem to recall a discussion wherein someone alluded pursuit of correction to the above docs, to include that the switch-user feature [one or more of the profile handle API] in the documentation, as having an effect of updating the last-used date. There is reference in one or more of those APIs that the last-used date will get updated -- and that there would be an audit log entry for *SECURITY type; e.g.:
[https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_71/apis/QSYGETPH.htm]
_Get Profile Handle (QSYGETPH) API_