Pages

Wednesday, February 8, 2023

Identifying profiles with disabled Netserver access

If you have users using your partition's IFS there are times when one of them manages to disable their access. In 2019 I wrote about how they can re-enable their access themselves using the QZLSCHSI API. What if I want to be more proactive and identify the profiles who already have disabled their IFS access?

Fortunately the information is attached to their user profile, but not in a place that I can get to with any of the User Profile commands, for example CHGUSRPRF. But I can use the SQL View USER_INFO. This View contains the column NETSERVER_DISABLED, if the User Profile has disabled their Netserver access then this column will contain 'YES'.

The statement I would use is:

01  SELECT AUTHORIZATION_NAME,NETSERVER_DISABLED
02    FROM QSYS2.USER_INFO

Hang on a moment, the SQL View USER_INFO_BASIC contains a subset of the columns that USER_INFO does, thereby making it a faster View to get results from. Using this smaller, and faster, View this is an example if I only want the first five results returned:

SELECT AUTHORIZATION_NAME,NETSERVER_DISABLED
  FROM QSYS2.USER_INFO_BASIC 
  LIMIT 5

Those five results are:

AUTHORIZATION_NAME  NETSERVER_DISABLED
------------------  ------------------
A*********          NO
B*********          NO
C*********          NO
D*********          NO
E*********          NO

If I was looking for profiles with their Netserver disabled I would use the following:

SELECT AUTHORIZATION_NAME,NETSERVER_DISABLED
  FROM QSYS2.USER_INFO_BASIC
 WHERE NETSERVER_DISABLED = 'YES'

The results would look like:

AUTHORIZATION_NAME  NETSERVER_DISABLED
------------------  ------------------
S*********          YES

What if I wanted to re-enable the Netserver for everyone where it is disabled? Fortunately I can use the QCMDEXC scalar function to call the CL program I wrote in my earlier post here.

My statement would look like:

01  SELECT AUTHORIZATION_NAME,NETSERVER_DISABLED,
02         QSYS2.QCMDEXC('CALL MYLIB/RESNETPWD PARM(' || 
03                          AUTHORIZATION_NAME || ')')   
04    FROM QSYS2.USER_INFO_BASIC

Line 1: This is the user profile and whether the Netserver is disabled columns.

Lines 2 and 3: The third column is the QCMDEXC scalar function. I am using it to call the program RESNETPWD, which needs to be passed the user profile. I am concatenating the user profile into the parameter of the Call command.

When executed the results would be:

AUTHORIZATION_NAME  NETSERVER_DISABLED  00003
------------------  ------------------  -----
S*********          YES                     1

The third column is returned from the QCMDEXC scalar function to confirm that the command pass to it executed without error.

That profile's Netserver is now enabled:

SELECT AUTHORIZATION_NAME,NETSERVER_DISABLED
  FROM QSYS2.USER_INFO_BASIC
 WHERE AUTHORIZATION_NAME = 'S*********' ;


AUTHORIZATION_NAME  NETSERVER_DISABLED
------------------  ------------------
S*********          NO

Job done and successful.

 

This article was written for IBM i 7.5, and should work for some earlier releases too.

4 comments:

  1. Thanks Simon, I can confirm it's working on V7R3 with latest PTF (we use it in a Nagios4i probe).

    ReplyDelete
  2. This is awesome. Thank you Simon. What I'm curious to know is, who in my company is re-enabling the disabled users and how they are doing it. I haven't been resetting users but I know there are users being disabled and re-enabled.

    ReplyDelete
    Replies
    1. It sounds to me like there are two scenarios:

      1. Someone is manually doing this.

      2. There is a job that is run to do this.

      3. User profile changes are being replicate from one partition to another.

      Delete
    2. Also, disabled users are automaticaly re-enabled at Netserver restart.

      Delete

To prevent "comment spam" all comments are moderated.
Learn about this website's comments policy here.

Some people have reported that they cannot post a comment using certain computers and browsers. If this is you feel free to use the Contact Form to send me the comment and I will post it for you, please include the title of the post so I know which one to post the comment to.