DSAOLDPRF -- Disable Old Profile

DSAOLDPRF DISABLE OLD PROFILE TAASEFT
The Disable Old Profile command optionally disables user profiles that have not been signed onto recently or not at all. Two retention periods may be specified for: 1) Profiles that have not signed on recently. 2) Profiles that have never signed on. Profiles created by the system or are PASSWORD(NONE) are not considered. DSAOLDPRF may be used to minimize the exposure that profiles will be inappropriately used. You must have ALLOBJ authority to use DSAOLDPRF. See also the DLTOLDUSR tool to delete old profiles. The default for DSAOLDPRF ACTION parameter is CHECK meaning that a listing is produced describing what the DISABLE function would do instead of actually disabling any profiles. A typical command would be: DSAOLDPRF DAYS(60) DAYS2(5) Several profiles are not considered (never disabled): User profile names beginning with Q User profiles with PASSWORD(NONE) * User profiles already disabled The DAYS parameter controls the retention period for those profiles that have signed on (a 'last signon date' exists). The default is 60 days meaning if the profile has not been signed onto in the last 60 days, it would be disabled by ACTION(DISABLE). The DAYS2 parameter controls the retention period for those profiles that have never been signed onto (no 'last signon date' exists). This means a user profile was created, but the user never signed on. The default is 5 days meaning if the profile has not not been signed onto since 5 days after the create date, it would be disabled by ACTION(DISABLE). A listing is produced with one line for each profile that would be disabled and counts of the the 'bypassed' types. When you have reviewed the listing and want to disable the profiles, specify: DSAOLDPRF ACTION(DISABLE) DAYS(n) DAYS2(n) To 'enable' a 'disabled' profile, consider the ENAUSRPRF TAA command. DSAOLDPRF escape messages you can monitor for --------------------------------------------- None. Escape messages from based on functions will be re-sent. Command parameters CMD ------------------ ACTION The type of action to perform. CHECK is the default to check for what would occur. The output listing describes the user profiles that would be disabled. CHECK allows you to 'try out' the function so you are sure you will be disabling the correct user profiles. DISABLE may be specified to disable any user profiles that meet the criteria specified. DAYS The number of days to retain a profile in an 'enabled' state if the profile has been signed onto. This parameter controls those profiles where a 'last signon date' exists meaning the user has signed on at some time. The default is 60 meaning that any profiles that have a 'last signon date' older than 60 days ago would be disabled by ACTION(DISABLE). The value must be in a range of 5 to 5000. DAYS2 The number of days to retain a profile in an 'enabled' state if the profile has never been signed onto. This parameter controls those profiles where there is no 'last signon date' because the user has never signed on. The default is 5 meaning that any profiles that were created prior to 5 days ago and have not been signed onto would be disabled by ACTION(DISABLE). The value must be in a range of 0 to 5000. METHOD The method used to disable old profiles. The default method of CHGUSRPF will disable any older profile that is not created by IBM. The DSAUSRPRF method will use a DSAUSRPRF command and can be more selective. It will never disable QSECOFR and other profiles can be protected as well. See the documentation for DSAUSRPRF for details on how to do this. Restrictions ------------ You must have ALLOBJ special authority to use DSAUSRPRF. Prerequisites ------------- The following TAA Tools must be on your system: ADDDAT Add date CHKALLOBJ Check ALLOBJ special authority EDTVAR Edit variable RSNLSTMSG Resend last message RTVSYSVAL3 Retrieve system value 3 SNDCOMPMSG Send completion message SNDSTSMSG Send status message Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- DSAOLDPRF CMD TAASEFT QATTCMD TAASEFTC PGM CLP TAASEFTC QATTCL TAASEFTR *PGM RPG TAASEFTR QATTCL

DSAOLDPRF       DISABLE OLD PROFILE                    TAASEFT


The  Disable Old  Profile  command  optionally disables  user  profiles
that have not  been signed onto recently or not  at all.  Two retention
periods  may  be specified  for: 1)  Profiles that  have not  signed on
recently.  2)  Profiles that  have never signed  on.  Profiles  created
by the  system or  are PASSWORD(*NONE) are  not considered.   DSAOLDPRF
may   be  used  to   minimize  the  exposure  that   profiles  will  be
inappropriately used.

You must have *ALLOBJ authority to use DSAOLDPRF.

See also the DLTOLDUSR tool to delete old profiles.

The default for  DSAOLDPRF ACTION  parameter is *CHECK  meaning that  a
listing  is produced  describing what  the *DISABLE  function would  do
instead of actually disabling any profiles.

A typical command would be:

             DSAOLDPRF     DAYS(60) DAYS2(5)

Several profiles are not considered (never disabled):

  **   User profile names beginning with Q

  **   User profiles with PASSWORD(*NONE)

  **   User profiles already disabled

The  DAYS parameter  controls the retention  period for  those profiles
that have signed on (a 'last signon  date' exists).  The default is  60
days meaning  if the profile has  not been signed  onto in the  last 60
days, it would be disabled by ACTION(*DISABLE).

The DAYS2  parameter controls the  retention period for  those profiles
that  have  never  been signed  onto  (no 'last  signon  date' exists).
This means a  user profile was created,  but the user never  signed on.
The default  is 5 days meaning if  the profile has not  not been signed
onto  since 5  days  after the  create date,  it  would be  disabled by
ACTION(*DISABLE).

A listing is  produced with  one line  for each profile  that would  be
disabled and counts of the the 'bypassed' types.

When you  have reviewed the listing  and want to disable  the profiles,
specify:

             DSAOLDPRF     ACTION(*DISABLE) DAYS(n) DAYS2(n)

To 'enable'  a 'disabled' profile, consider  the ENAUSRPRF TAA command.

DSAOLDPRF escape messages you can monitor for
---------------------------------------------

None.  Escape messages from based on functions will be re-sent.

Command parameters                                    *CMD
------------------

   ACTION        The type of action to perform.

                 *CHECK is the default to  check for what would  occur.
                 The output  listing describes  the user profiles  that
                 would  be disabled.   *CHECK allows  you to  'try out'
                 the  function so  you are  sure you  will be disabling
                 the correct user profiles.

                 *DISABLE  may  be   specified  to  disable  any   user
                 profiles that meet the criteria specified.

   DAYS          The  number  of  days   to  retain  a  profile  in  an
                 'enabled'  state if the profile  has been signed onto.
                 This parameter controls those  profiles where a  'last
                 signon date'  exists meaning  the user  has signed  on
                 at some time.

                 The  default  is  60 meaning  that  any  profiles that
                 have a  'last  signon date'  older  than 60  days  ago
                 would  be disabled  by  ACTION(*DISABLE).   The  value
                 must be in a range of 5 to 5000.

   DAYS2         The  number  of  days   to  retain  a  profile  in  an
                 'enabled'  state if the profile  has never been signed
                 onto.   This parameter  controls those profiles  where
                 there is  no 'last signon  date' because the  user has
                 never signed on.

                 The  default is 5 meaning that  any profiles that were
                 created prior to 5 days  ago and have not been  signed
                 onto  would  be  disabled by  ACTION(*DISABLE).    The
                 value must be in a range of 0 to 5000.

   METHOD        The  method   used  to  disable  old  profiles.    The
                 default method  of *CHGUSRPF  will disable  any  older
                 profile that is  not created by *IBM.   The *DSAUSRPRF
                 method will  use a DSAUSRPRF  command and can  be more
                 selective.   It  will never disable  QSECOFR and other
                 profiles  can  be   protected  as   well.    See   the
                 documentation for  DSAUSRPRF for details on  how to do
                 this.

Restrictions
------------

You must have *ALLOBJ special authority to use DSAUSRPRF.

Prerequisites
-------------

The following TAA Tools must be on your system:

     ADDDAT          Add date
     CHKALLOBJ       Check *ALLOBJ special authority
     EDTVAR          Edit variable
     RSNLSTMSG       Resend last message
     RTVSYSVAL3      Retrieve system value 3
     SNDCOMPMSG      Send completion message
     SNDSTSMSG       Send status message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   DSAOLDPRF     *CMD                   TAASEFT       QATTCMD
   TAASEFTC      *PGM       CLP         TAASEFTC      QATTCL
   TAASEFTR      *PGM       RPG         TAASEFTR      QATTCL

Added to TAA Productivity tools October 15, 2003

Home Page

Up to Top