Auditor(s) Assigned Audit Date
Workpaper
Audit Objectives and Procedures Ref. By
________________________________________________________________________________________________________
K. 3 User/Group Profiles - Cont'd
K.3.4.1 Signing on with IBM-supplied user profiles that are designed to be object
owners is not permitted. Use a DSPAUTUSR list to verify that the following IBM-supplied user profiles have a password of *NONE:
QDBSHR QDFTOWN QDOC
QTSTROS
QDSNX QFNC QGATE QLPAUTO QLPINSTALL QSNADS QSPL QSPLJOB QSYS
K.3.5 Obtain a listing of user and group profiles using the following command:
To get to magnetic file: Enter [DSPUSRPRF]: press (PF4): Select output file and name the file: have the file transferred to a PC or XCOMM to mainframe where Office Services will copy the file/s to audits cc 0820 G drive.
DSPUSRPRF USRPRF(profile name) TYPE(*BASIC)
For each profile review the following settings:
K.3.5.1 GROUP (Group Profile)
Determine if members of each group are related to a common user function.
K.3.5.2 PWDEXPITV (Password Expiration Interval) UPGRPF
*SYSVAL: system default specified in QPWDEXPITV
If a number is specified it means that a specific interval has been set for this user.
K.3.5.3 CURLIB (Current Library) UPCRLB
Determine that the specified library is suitable to the user function. Ensure that this library is adequately secured.
SYSTEM SECURITY K/PROG
28
Page 10 of 22
Auditor(s) Assigned Audit Date
Workpaper
Audit Objectives and Procedures Ref. By
________________________________________________________________________________________________________
K.3 User/Group Profiles - Cont'd
K.3.5.4 LMTCPB (Limited Capability) UPLTCP
Specifies whether the user can change the initial program, initial menu, current library and attention-key-handling program values.
*NO: user may change all the values in his own user profile with the
CHGPRF command.
*PARTIAL: the initial program and current library values cannot be
changed. The initial menu value can be changed (using CHGPRF) and commands can be run from the command line of a menu.
*YES: the initial program, initial menu and current library values
cannot be changed. Some commands can be run on the command line of a menu.
E&Y recommended value: *YES for production users.
K.3.5.5 SPCAUT (Special Authority) UPSPAU
*ALLOBJ - allows unlimited access to almost every object *SECADM - allows administration of user profiles
*SAVSYS - for saving and restoring the system and data
*JOBCTL - allows manipulation of work queues and subsystems *SERVICE - allows many uncontrolled functions *SPLCTL - allows control of spool functions
*USRCLS: - user given special authorities that are appropriate for his
class
*NONE - no special authority assigned
Determine if the special authority assigned to each user class is suitable.
Generally, users and programmers should not have any special authorities. SECADM, QSECOFR, and SYSOPR by default, have *SAVSYS and *JOBCTL special authorities. IBM engineers may have *SERVICE.
E&Y recommendation: *PUBLIC must be set to *EXCLUDE.
SYSTEM SECURITY K/PROG
29
Page 11 of 22
Auditor(s) Assigned Audit Date
Workpaper
Audit Objectives and Procedures Ref. By
________________________________________________________________________________________________________
K.3 User/Group Profiles - Cont'd
K.3.5.6 INLPGM (Initial Program) UPINPG
*NONE: No initial program is used. User is given access to the
command level.
The initial program may not provide a way to exit from the program except to sign-off.
If a menu name is specified in the initial menu parameter then that menu is displayed. Ensure that there is no option in the menus/sub-menus to exit and access the command level.
K.3.5.7 INLMENU (Initial Menu) UPINMN
*SIGNOFF: the user will be signed off the system once the initial
program ends.
Menu security limits a user's capabilities and restricts the user to a predefined secured environment. The initial menu appears after the initial program terminates. Ensure that users are assigned menus and menu options that are suitable for their job functions.
The advantages of menu security are that it is easy to implement and therefore, incurs low security management cost; and provides ease to use interface.
Caveat: Initial menus are mostly user-defined and therefore, may contain loop-holes. The application design is critical to menu security.
E&Y recommendation: Use the limited capability approach where appropriate with library and object security.
K.3.5.8 LMTDEVSSN (Limit Device Sessions) UPLDVS
*(SYSVAL: the system value selected determines if the user is
limited to one device session.
*NO: does not limit the use of a user-id to one device session.
*YES: limits the use of a user-id to one device session.
E&Y recommended value: *YES or *SYSVAL and QLMTDEVSSN - Set to Option One(limit number of device sessions to one).
SYSTEM SECURITY K/PROG
30
Page 12 of 22
Auditor(s) Assigned Audit Date
Workpaper
Audit Objectives and Procedures Ref. By
________________________________________________________________________________________________________
K.3 User/Group Profiles - Cont'd
K.3.5.9 STATUS (Status of user profile) UPSTAT
K.3.5.10
K.3.5.11
Specifies whether the user profile is usable or not.
*ENABLED: profile is usable.
*DISABLED: profile is not usable.
E&Y recommendation: Inactive or dormant user profiles should be set to *DISABLE to prevent unauthorized usage.
Note that system profiles such as QSYS, QSECOFR, etc. must be set to *ENABLE.
Obtain a list of user profiles and review for the following: 1. Identify the users permitted access to individual and each group
profile.
2. Determine if all users are permitted access based on written
authorization by Departmental Management.
3. Confirm that all users are currently employed.
Determine whether unauthorized users can process critical
functions from their menu(s).
SYSTEM SECURITY K/PROG
31
Page 13 of 22