The Display Security Review command is designed for the Security
Officer or an auditor conducting a security review. It allows the
output from the DSPUSRPRF command to be analyzed in a variety of
methods.
Typical commands would be as follows:
** To display a basic listing of one line per user:
DSPSECRVW BASICLIST(*YES)
** To sequence the users on user class:
DSPSECRVW USRCLS(*ALL)
** To sequence the users on limited capabilities:
DSPSECRVW LMTCPB(*YES)
** To select those users with *ALLOBJ authority:
DSPSECRVW SPCAUT(*ALLOBJ)
The command assumes that the user profile information exists in a
file in TAASECURE. The information in the file can only be accessed
by a user with *ALLOBJ authority or if specifically authorized to the
TAASECRVW authorization list. The file is created with ALWUPD(*NO)
and ALWDLT(*NO).
To authorize a user to this list, specify:
ADDAUTLE AUTL(TAASECRVW) USER(xxxx) AUT(*USE)
An option on the command allows the user profile information to be
refreshed. This means that the DSPUSRPRF command OUTFILE parameter
is used to refresh the file in TAASECURE.
The command outputs printed output and by default uses DSPSPLF to
display the data. An option exists to print the data instead of
displaying it.
Profiles from multiple systems
------------------------------
An option on the command allows you to have the user profiles from
multiple systems stored in the same file and to either process
profiles from all systems or a specified system.
If you are going to use profiles from multiple systems, it is
suggested that you store them in a second file (you can use the
TAASECURE library) and then copy the file to TAASECKP in TAASECURE.
This will allow a recoverable solution if the TAASECKP file is
refreshed by DSPSECRVW.
For example, use DSPUSRPRF with OUTPUT(*OUTFILE) on the remote system
and transfer the outfile to your system. Copy the file from each
remote system to a central file.
When you are ready to review all profiles, use DSPSECRVW with
BASICLIST(*YES). The default will initialize the TAASECKP file in
TAASECURE with the profiles from your system. Then copy the central
file of profiles from the remote systems to TAASECKP in TAASECURE.
You may then analyze all system profiles.
DSPSECRVW command parameters *CMD
----------------------------
BASICLIST A *YES/*NO option that defaults to *NO. *YES
specifies that a basic listing is produced with one
line per user profile. There is more information in
the profile than can appear in one printed line so
only the critical fields are printed along with the
abbreviated text description.
USRCLS Whether to sequence on user class. The default is
*NO. An *ALL entry will sequence all user classes.
A specific entry will select only those users with
the same user class. The specific entries are:
*USER, *SYSOPR, *PGMR, *SECADM and *SECOFR.
PWDCHGDAT A *YES/*NO option that defaults to *NO. *YES
specifies that the user profiles be sequenced by
oldest password change date first. User profiles
which have PASSWORD(*NONE) will not be listed.
PRVSIGNON A *YES/*NO option that defaults to *NO. *YES
specifies that the user profiles are sequenced based
on the date of previous last signon. User profiles
that have PASSWORD(*NONE) and have never been signed
on to will not be listed. This eliminates many
internal system profiles. The oldest previous
signon is listed first.
PWDNONE A *YES/*NO option that defaults to *NO. *YES
specifies that only those profiles that are set to
PASSWORD(*NONE) will be listed.
PWDEXP A *YES/*NO option that defaults to *NO. *YES
specifies that only those profiles that are set to
PWDEXP(*YES) will be listed.
STATUS A *YES/*NO option that defaults to *NO. *YES causes
the sequence of the output to be on STATUS which is
either *DISABLED or *ENABLED.
SPCAUT Allow selection of those profiles that match one or
more of the special authorities entered. The
default is *NO.
The special value *ALL may be used to select
profiles that have all special authorities.
The special authorities are *SAVSYS, *JOBCTL,
*SECADM, *ALLOBJ, *SERVICE, *SPLCTL, *AUDIT, and
*IOSYSCFG.
More than one of the special authorities may be
entered. For example, if you request *SAVSYS and
*JOBCTL only those users who have both special
authorities will be displayed.
OWNER A *YES/*NO option that defaults to *NO. *YES
specifies that the output will be sequenced by the
option that controls who is the owner of group
profile objects which is either *USRPRF or *GRPPRF.
GRPPRF A *YES/*NO option that defaults to *NO. *YES
specifies that the output will be sequenced by the
Group Profile option. Either *NONE or the name of
the group profile will be listed.
LMTCPB A *YES/*NO option that defaults to *NO. *YES
specifies that the profiles will be sequenced by the
value of the LMTCPB (limited capability) parameter.
See also the CHKLMTCPB tool. User profiles which
are PASSWORD(*NONE) will not be listed.
LMTDEVSSN A *YES/*NO option that defaults to *NO. *YES
specifies that the profiles will be sequenced on the
LMTDEVSSN (limit device sessions) parameter. User
profiles which are PASSWORD(*NONE) will not be
listed.
MAXSTG A *YES/*NO option that defaults to *NO. *YES
specifies that the profiles will be sequenced in
descending order of the MAXSTG value in the user
profiles. This is the maximum storage allowed for
each user profile. Profiles with a value of *NOMAX
appear last.
STGUSE A *YES/*NO option that defaults to *NO. *YES
specifies that the profiles will be sequenced on the
amount of storage used field. This is not the
MAXSTG parameter on the CRT command, but rather the
total storage used by the profile as kept by the
system. The sequence is descending order so the
profile with the most storage used is listed first.
INLPGM A *YES/*NO option that defaults to *NO. *YES
specifies that the profiles will be sequenced on the
INLPGM (initial program) parameter. The fully
qualified value is used. User profiles which are
PASSWORD(*NONE) will not be listed.
INLMNU A *YES/*NO option that defaults to *NO. *YES
specifies that the profiles will be sequenced on the
INLMNU (initial menu) parameter. The fully
qualified value is used. User profiles which are
PASSWORD(*NONE) will not be listed.
JOBD A *YES/*NO option that defaults to *NO. *YES
specifies that the profiles will be sequenced on the
JOBD (job description) parameter. The fully
qualified value is used.
ACGCDE A *YES/*NO option that defaults to *NO. *YES
specifies that the profiles will be sequenced on the
ACGCDE (accounting code) parameter.
LSTUSE A *YES/*NO option that defaults to *NO. *YES
specifies that the profiles will be sequenced on the
last use date information.
PTYLMT A *YES/*NO option that defaults to *NO. *YES
specifies that the profiles will be sequenced on the
highest schedule priority limit.
LANGID A *YES/*NO option that defaults to *NO. *YES
specifies that the profiles will be sequenced on the
language ID value.
CNTRYID A *YES/*NO option that defaults to *NO. *YES
specifies that the profiles will be sequenced on the
country ID value.
CCSID A *YES/*NO option that defaults to *NO. *YES
specifies that the profiles will be sequenced on the
CCSID value.
REFRESH An option to determine if the DSPUSRPRF OUTFILE
function is used to refresh the TAASECKP file in the
TAASECURE library. The default is *YES meaning the
file will be refreshed.
*DAYCHG may be specified which means the file will
be refreshed if the last time the file was output
was on a different day. *DAYCHG assumes that you
are using the command repeatedly on the same day,
you do not want to keep refreshing the information.
*NO may be specified to use the existing data. If
no data exists, the file is output.
SYSTEM Whether to process all profiles or the profiles from
a specific system. The default is *ALL which means
to process all profiles found in the file. See the
previous discussion on how to handle profiles from
multiple systems.
OUTPUT The * value default means to display the information
using DSPSPLF if the command is entered
interactively. If entered in batch, a spooled file
by the name of USRPRF is output. *PRINT means to
just spool the information.
Restrictions
------------
The user must be authorized to the TAASECRVW authorization list.
Prerequisites
-------------
The following TAA Tools must be on your system:
EXTLST Extract list
SNDESCMSG Send escape message
SNDSTSMSG Send status message
Implementation
--------------
The tool is ready to use, but the user must be authorized to the
TAASECRVW authorization list.
Objects used by the tool
------------------------
Object Type Attribute Src member Src file
------ ----- --------- ---------- -----------
DSPSECRVW *CMD TAASECK QATTCMD
TAASECKP *FILE PF TAASECKP QATTDDS
TAASECKC *PGM CLP TAASECKC QATTCL
TAASECKR *PGM RPG TAASECKR QATTRPG
TAASECKR2 *PGM RPG TAASECKR2 QATTRPG
The TAASECKP file is also in the TAASECURE library. The source uses
the FORMAT keyword to identify the same file used by the DSPUSRPRF
command. This allows the output file to be created with ALWUPD(*NO)
and ALWDLT(*NO).
|
