I am on OS400 V5.1 and 405CD.
Some of what I say might not work same in later versions.
Let's assume you create a CL program like my simple SYSMSGPASS, place it
into BPCS library list, and update menus like my earlier posting walked thru
steps. (when I add menu items, I do not key in description, I key in program
name, then save menu, then return ... if description now filled with what I
used when I compiled the program, I know I did not do a typo on menu
maintenance. Then I may adjust description, add H-text additional comments)
Then you let the people know how to access this option. A few will use it,
but many may ignore you.
When signed on as a security officer, on command line, and various IBM
menus, you can get at some useful security reports.
DSPAUTUSR and select *PRINT gets a report on authorized users, including
last date they changed their password. Print that out. Use highlighter to
illuminate those who have not changed it recently. Supply that marked up
report to management, along with copy of reminder instructions how to access
menu PASS to change password to something known only to the user. Inform
management that where the report says "No Password" that no one can sign-on
to one of those profiles, which exist for IBM functions other than humans
signing on. Request gentle reminders for the people whose passwords have
not been changed recently.
I personally, as IT person, have more important things to be doing than
managing people passwords, plus I consider it to be a security risk if IT
person knows all passwords of all people (this can end up being written down
some place, and carelessly left where some inappropriate person can see).
If someone forgets their password, I check the WRKSYSVAL *SEC rules (e.g. do
we need a digit in there?) ask them what they want for the temporary, then I
go into WRKUSRPRF change their user-id both to the temporary and have it
expire-yes. This lets them sign on, but before they can do anything, they
are forced to change it to a password only they know.
With PRTUSRPRF you can get more detailed report than DSPAUTUSR. This is a
quick way to see: which user-ids have special IBM authorities; who is in a
user class other than ordinary user; who has limited capability; whose
settings are non-standard (e.g. initial menu other than *SIGNOFF, if they
accidentally F3 fall out of BPCS); which user-ids exist which have not been
used in a while (be careful about removing after disabling ... there may be
objects needed by BPCS which are owned by former users).
You might supply human resources (personnel) with copy of this, marked up
where we have user-ids which have not signed on for a while (use highlighter
to illuminate them) then ask if any of these are former employees where we
should make sure their access is now denied. Careful, some of the user-ids
may be for non-employees such as computer vendors, who may be unknown to HR.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.