On 04 Apr 2013 10:21, CRPence wrote:
On 04 Apr 2013 09:56, John Mathew wrote:

What is the difference between ANZPRFACT and WRKSYSVAL.
Can I give both values in the system.

ANZPRFACT INACDAYS(60)
WRKSYSVAL SYSVAL(QPWDEXPITV) set value to 30 days.

If the purpose of both is to disable the profiles, then why do we
have both?

The system value setting for QPWDEXPITV, the Password Expiration
Interval, determines how soon a password of a user profile should
expire [if that *USRPRF object is defined to have
PWDEXPITV(*SYSVAL)]. After the interval is reached, the user profile
will be recognized as effectively having a password set to a status
of *expired* but the profile is *not* disabled; when the interval is
reached, the actual PWDEXP() setting of the *USRPRF is not changed,
the condition is merely recognized as expired when credentials are
exchanged between the user and the system. The user need only sign-on
[via 5250 or with whatever other interface that supports effectively
the same access to a ChgPwd feature] to the system using the expired
password, and then change the password.

and also second case will prompt user for the password exp.

On the 5250 interface the user is forcibly prompted the CHGPWD
display when the interval is exceeded, and the user can not exit the
Change Password display to continue access to the system without
having successfully changing the password. The user can only be
signed off until the password is changed.

whereas first one doesn't is that true?

The Analyze Profile Activity command examines profile *inactivity*
and will change the user profile to status *disabled* [note: nothing
to do with password expired] if the specified Number of Inactive
Days [INACDAYS parameter] is met or exceeded.

can please advise or suggest.

http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzamv/rzamvuserprofdisable.htm

http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzamv/rzamvuserprofdisable.htm


I should have clarified that a user with STATUS(*DISABLED) is unable to signon or otherwise obtain credentials.

Also in v7r1 there was an additional parameter to the User Profile called USREXPDATE for which the user is *expired* after the assigned date [or after the User Expiration Interval is passed, if *USREXPITV is used; which if a USREXPITV is specified, given conditions are met, is just translated into a date for the USREXPDATE parameter attribute]. With this value, unlike the Password Expiration Interval, the system actually performs via a scheduled job, the actions that /expire/ the user profile. See CHGUSRPRF:

http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/cl/chgusrprf.htm
_i User expiration date (USREXPDATE) i_

Specifies the date when the user profile expires and is automatically disabled. Use the Display Expiration Schedule (DSPEXPSCD) command to display a list of all user profiles set to expire.

If a user profile is set to expire, the QSECEXP1 job is scheduled to run nightly.
...

_i User expiration interval (USREXPITV) i_

Specifies the expiration interval (in days) before the user profile is automatically disabled. Use the Display User Profile (DSPUSRPRF) command to display the date the user profile expires. Use the Display Expiration Schedule (DSPEXPSCD) command to display a list of all user profiles set to expire.

Note: A value must be specified for this parameter if the User expiration date (USREXPDATE) parameter has a value of *USREXPITV. If the USREXPDATE parameter has a value other than *USREXPITV, no value is allowed for this parameter.
..."

That doc seems not to define explicitly what "to expire" a user profile means. But both the above doc and the following doc seem to suggest the action is CHGUSRPRF STATUS(*DISABLED). As noted earlier in my reply, that status prevents the user from using the profile to gain access\credentials to the system. I am not sure where an "Expiration Action" is defined, I found none in a search, so I am not sure if the reference to DLTUSRPRF in the following doc is in error.? Hmmm... I have since found a reference; the below doc is not in error, just not as helpful as it could be. The Change Expiration Schedule Entry (CHGEXPSCDE) has an ACTION() parameter but the /text/ for the parameter is labeled just "action" vs "expiration action" and is thus not capable of being searched in the InfoCenter on the latter.

http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/cl/dspexpscd.htm
_i Display Expiration Schedule (DSPEXPSCD) i_
"The Display Expiration Schedule (DSPEXPSCD) command displays the list of user profiles, their expiration date, and the expiration action to be taken (disable or delete the profile). If there are no user profiles set to automatically expire, an empty report will be produced.

If the expiration action is delete then the owned object option (*NODLT, *DLT, *CHGOWN) and the primary group option (*NOCHG, *CHGPGP) are shown. If the owned object option is *CHOWN then the new owner is shown. If the primary group option is *CHGPGP then the new primary group and the new primary group authority are shown.
..."

Thus the above doc might better have stated "If the expiration action is *DELETE [per CHGEXPSCD ACTION(*DELETE)] then the owned object option and the primary group option (*NOCHG, *CHGPGP) are shown in the report."

http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/cl/chgexpscde.htm
_i Change Expiration Scd Entry (CHGEXPSCDE) i_
"The Change Expiration Schedule Entry (CHGEXPSCDE) command allows you to expire a user profile on a certain date. The expired user profile can either be disabled or deleted.

To change a user profile entry so that it will no longer expire, specify EXPDATE(*NONE).

This information can be displayed using the Display Expiration Schedule (DSPEXPSCD) command.

When a profile has been scheduled to be disabled or deleted the QSECEXP1 job is scheduled to run nightly.
..."

Sadly, the above documentation also makes no reference to the DLTUSRPRF command, so that was also not capable of being searched that way.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.