Admin Alert: Shutting Down OS/400 User Profiles with Activation Entries

August 4, 2004 Joe Hertvik

Sometimes you may want to set up specific schedules that detail when OS/400 user profiles can sign on to your system. You may have a consultant who is only authorized to sign on during the business day, or you may want to limit customer service or other shift workers to have system access only during their shift. But since unauthorized system access often occurs during off-hours, it’s in your best interest to limit user profile access as much as possible.

OS/400 offers a simple function for creating activation schedule entries that specify when OS/400 user profiles are enabled or disabled in the system. The secret of scheduling user profile access is to use two OS/400 green-screen commands to create and view an OS/400 activation schedule. The Change Activation Schedule Entry (CHGACTSCDE) command creates and maintains activation entries for various users, while the Display Activation Schedule (DSPACTSCD) command lets you view the activation schedule you’ve set up.

Using these commands, you can create activation entries for individual user profiles, and those entries will control when specific user profiles are clear to sign on to your iSeries or AS/400 (by enabling their user profile) and when they cannot sign on (by disabling their user profile). Here’s how it works and what its drawbacks are.

If you have a consultant with a user profile name of CONSULT, for example, who is authorized to sign on during the week from 8:00 a.m. until 6:00 p.m., you could control his system access times by running CHGACTSCDE to add the following activation entry to the system.

CHGACTSCDE USRPRF(CONSULT) ENBTIME('08:00:00')
   DSBTIME('18:00:00') DAYS(*MON *TUE *WED *THU *FRI)

The user profile (USRPRF) parameter specifies the user ID you are controlling access for. The ENBTIME (enable time) parameter specifies when the user profile will be enabled. The DSBTIME (disable time) parameter tells OS/400 when to disable the user’s profile. All times are stated in military (24-hour) time. The DAYS parameter tells OS/400 that your target user profile will be enabled and disabled according to this schedule during the normal work week (Monday through Friday). If you wanted to continue this access schedule through the weekend, you could change the DAYS parameter to *ALL, which would activate and deactivate the user profile every day of the week.

When you use CHGACTSCDE to enter an activation entry, OS/400 creates two jobs for each entry, and these jobs will automatically run via OS/400’s job scheduling function. To view these jobs, run the Work with Job Schedule Entries (WRKJOBSCDE) command and look for two jobs with the names QSECACT1 that are scheduled to run at your user profile’s designated activation and deactivation times. For user “CONSULT,” the scheduled QSECACT1 activation job would run the following command at the enable time.

QSYS/CALL PGM(QSYS/QSECACT5) PARM('CONSULT' E)

When this job runs, OS/400 will change the CONSULT user profile’s STATUS parameter to *ENABLED, which allows the user to sign on to the system.

Conversely, the second QSECACT1 job that deactivates your user profile at the designated time will execute the following command.

QSYS/CALL PGM(QSYS/QSECACT5) PARM('CONSULT' D)

When this job runs, OS/400 will change the CONSULT user profile’s STATUS parameter to *DISABLED, which prevents anyone from signing on to the system with that user profile.

OS/400 sets up these activation jobs automatically, so you don’t need to worry about running them. However, you can only set up one activation schedule entry per user, so if you modify a user’s entry, it will replace the existing entry with the new values.

While CHGACTSCDE allows you to set up your activation schedule, the DSPACTSCD command allows you to view all the activation entries you’ve set up in the system. If you type DSPACTSCD at a command line or from inside an Operations Navigator command box, a list of all your user profile activation entries will appear. You can then use CHGACTSCDE to make any changes for individual user profiles in your schedule.

Activation schedules are valuable for limiting access to user profiles during off hours, but they do have some drawbacks.

• Activation entries can only be entered for individual users. They cannot be entered for wildcard user names or groups of user IDs that use a specific group profile, which would be handy for imposing the same set of activation limits on an entire set of people who work a specific shift (such as all customer service personnel who work during the first shift). This limitation also makes it more difficult for larger shops to set up a schedule for deactivating and activating many user profiles during the day, because of the large number of activation entries that need to be maintained.

• Because you can only activate and deactivate users once a day, it is difficult to set up entries to deactivate third-shift users for the weekend when their shifts begin late Friday night and end early Saturday morning. When using an activation entry in this case, users would still be re-enabled on Saturday evening, even though they may not be working a shift that night.

• If you need to make special arrangements for users who need to sign on to the system outside their usual shift (such as a consultant working on Saturdays or those working from home), their activation entry must be changed to accommodate the changed schedule, and then it must be changed back again after the user completes the special assignment.

• Schedule activation entries only prevent users from signing on anew once their profile is disabled. If a user is running a job when his profile is disabled, that job remains active until the user signs off. This situation can be mitigated somewhat by setting up the Inactive Job Timeout system value (QINACTITV) and the Inactive Job Message Queue system value (QINACTMSGQ) to automatically disconnect or end interactive jobs once they exceed a certain time-out interval. Then, if a job with a disabled user profile is automatically ended, or is disconnected once it exceeds those values, the user will not be able to reactivate that job until his profile is re-enabled at the designated time.

• Since the activation and deactivation jobs are controlled through OS/400’s job scheduling function, they may not execute at the exact time designated in the activation schedule entry. By default, activation schedule jobs run in the job queue specified in the submitting user’s job description. If the subsystem that the job queue feeds into is active, or if the subsystem is already servicing the maximum number of jobs from that job queue, the activation jobs may not run according to schedule. Your activation schedule scheme could be sidetracked because of your system workload, and you should plan for the activation and deactivation jobs to run in subsystems where there is the least chance of disruption.