Rob,
You have a point there. The T-PW can carry the remote IP address which you can track back to. If the IP address can't be traced back to an individual it can be traced to a location.
If you don't have an IP address? Well, it happens and you do your best.
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Wednesday, January 21, 2015 10:06 AM
To: Midrange Systems Technical Discussion
Subject: RE: possible to never disable specific user?
Gary,
If it's not an intentional CHGUSRPRF ... STATUS(*DISABLED) then all that audit log should show you would be someone trying to sign on as that person with no clue who that was. If you're lucky it might store the IP address of the workstation who failed to sign on.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: "Monnier, Gary" <Gary.Monnier@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 01/21/2015 12:45 PM
Subject: RE: possible to never disable specific user?
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
You could use exit points to check the user's status. If the profile is
disabled notify "someone", this "someone" can then enable the account.
This would be similar to Rob's MessengerPlus example.
Auditing the user profile in question will provide the T-PW entries needed
to track down who disabled the profile. I've seen times where such
profiles are deliberately disabled to halt work for one reason or another.
Placing the one who disabled the profile in the limelight, so to speak,
can go a long way to ensuring disabling is really an accident.
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
rob@xxxxxxxxx
Sent: Wednesday, January 21, 2015 9:14 AM
To: Midrange Systems Technical Discussion
Subject: Re: possible to never disable specific user?
Let me guess, 27 people know the password for QSECOFR. When you change
that password someone screws it up and disables that account. Effectively
doing a Denial Of Service attack against QSECOFR. So you are trying to
prevent this DOS attack.
This fear of a DOS attack against your security accounts is why some
people only have QMAXSGNACN vary off the device and not disable the user
profile.
Of course, I feel your pain. But, expect someone to reply that your
security accounts should be the ones which get disabled the fastest upon
incorrect sign on. They have a point also.
Or, instead of QSECOFR, you have a 'generic' account for shop floor
personnel or some such department?
For that case, the message monitoring is probably the desired solution.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: Hoteltravelfundotcom <hoteltravelfun@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 01/21/2015 10:37 AM
Subject: possible to never disable specific user?
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
we have disabling of any user if failed password 3x,
can this be changed for specific user to never be disabled?
midrange.com
