User Profiles Summary

See the Compliance Guide for a comprehensive analysis of user profiles. The following is a summary of user profiles to help you when reading a profile Scorecard.

Default Passwords Profiles: A profile with a password equal to the user name is an unacceptable security risk. Many companies have policies to name their user accounts or profiles based on a standard format, such as first name initial followed by the last name (for example, jsmith,

Invalid Signons Profiles: Users may fail in their first couple of attempts to sign on to the system because they have mistyped or forgotten their password. A large number of invalid signon attempts, however, can indicate that someone is trying to "crack" a password or to access an account to which they are not authorized. Regular auditing should monitor the number of invalid signon attempts per profile.

Inactive Profiles: User profiles that were created for users who are no longer with the company should be deleted as soon as possible. Deleting old and disabled user profiles from the system simplifies system management and can increase overall system performance by eliminating unnecessary authority lookups. Unused profiles could become enabled and compromised at a later date, which may not be noticed because the profiles are not used on a regular basis.

Password Expired Profiles: If a user’s password has expired, it is a good indication that a profile is old and dormant. Profiles that are not kept current by their users are the most likely candidates for abuse by hackers or disgruntled employees.

Group Profiles: Group profiles are an efficient method of managing security for large numbers of employees who perform similar job functions. Historically, System i applications have used group profiles to provide end users with access to an application, and, in unchecked cases, have provided end users ownership of all application objects. During the execution of an application, a member of a Group Profile inherits all of the group’s regular authority as well as the group’s Special Authority.

Special Authorities Profiles: Special authorities (*ALLOBJ, *SECADM, *SPLCTL, *IOSYSCFG, *AUDIT, *JOBCTL, *SERVICE, and *SAVSYS) are“super user”-like capabilities granted to user profiles to allow them to perform security-sensitive functions for specific reasons, such as program development, system administration, or system operation. These rights are powerful and should be reserved only for trusted and knowledgeable IT professionals. The Scorecard uses effective special authority in all cases (includes any special authorities that are inherited from group membership.)

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.4 | 202410080134 | October 2024