Admin Alert: Safely Deleting a User Profile

by Joe Hertvik

As employees leave a company, many administrators disable their OS/400 user profiles, rather than deleting them, because the profiles may own critical system objects, may be used in regularly scheduled batch jobs, or may be group profiles that others depend on. Disabling terminated profiles is common practice because there isn't an easy way to discover which objects a profile affects, so administrators generally believe it's better to play it safe and keep an old user profile. To help remedy this situation, I offer the following checklist for deleting terminated user profiles instead of disabling them. By following this checklist, you can safely delete most terminated user profiles without incident, keeping your user profile list clean, current, and uncluttered. The first step is to investigate and replace any OS/400 functions that use the profile as a base. This step involves asking the following questions and making some system adjustments to take the terminated user out of your processes. Is the user profile used to run a regularly scheduled batch job or a server job? In OS/400, most recurring jobs are scheduled through the job scheduler, and that requires the scheduler entry to designate which user profile the job should run under. This can create a problem when you delete a user profile because a scheduled job will fail if it is submitted to run under a user profile that doesn't exist. So if you're deleting a popular user profile (such as the former head of the IT department, who may have scheduled many jobs), you need to determine whether there are any jobs scheduled to run under his user profile and switch those jobs to run under another profile name. As far as I know, there is no automated procedure in iSeries Navigator (OpsNav) to scan for scheduled jobs that run under a particular user profile, but you can find this information on a 5250 green screen by using the Work with Job Scheduled Entries (WRKJOBSCDE) command to create a printout containing information about all your scheduled jobs.
WRKJOBSCDE OUTPUT(*PRINT) PRTFMT(*FULL)

This command creates a detailed report of every job scheduler entry on your system, including the name of the user profile each job will run under. To find all the jobs that run under a particular user profile, display the printout created from the WRKJOBSCDE command and search for your target user profile name. When you find the user profile name in a particular job scheduler entry, you can again use the WRKJOBSCDE command to change the User parameter in that entry to an active user profile that has all the right authorities to run your job. The other gotcha in this technique is that some jobs (along with their associated user profile names) are submitted from within CL programs or during an OS/400 IPL. In these cases, you may also want to check your IPL startup program code and the startup process for any server job that is currently running under the name of the terminated user profile. Does the user profile own any objects in the system? This step is optional because you can also delete owned objects or transfer their ownership to another user profile as you delete the profile. The important point is that OS/400 will not delete a user profile that owns objects. So another key to successfully deleting a user profile is to either change the ownership of any objects it owns or delete the objects along with the user profile.

The iSeries Navigator doesn't provide an easy way to perform these functions; you can view but not work with a user's owned objects inside OpsNav. So you have to go back to the green screen once again and use the Work with Objects by Owner (WRKOBJOWN) command to view and change ownership for each object that a user profile owns.
WRKOBJOWN USRPRF(user_profile)

This command displays all the objects owned by the target user. The WRKOBJOWN screen gives you the option to change an object's owner (9=Change owner) or to delete an owned object (4=Delete). You can perform mass ownership changes by placing a 9 in front of all the owned objects and then specifying the user profile name of the new owner in the New Owner (NEWOWN) parameter on the command line, like this:
NEWOWN(new user_profile)

When you hit the Enter key, all the owned objects marked with a 9 will be changed to use the user profile specified in the NEWOWN parameter as their new owner. If you want to delete all the objects this user owns, simply put a 4 (delete) instead of a 9 in front of each object and perform the same routine. Is the user profile that you're going to delete a group profile? If other user profiles are depending on the soon to be deleted user profile for authorities by listing the profile as their primary or secondary group, you need to find those user profiles and change their group profile or Supplemental groups parameters (GRPPRF and SUPGRPPRF) to another group. To find all the user profiles that are members of a group profile, use the Display User Profile command (DSPUSRPRF) with the group member option, like this:
DSPUSRPRF USRPRF(user profile) TYPE(*GRPMBR)

This shows all the user profiles that list the terminating user profile in their group profile or supplemental group parameters. Before you can delete your user profile, then, you need to change these parameters in each of the depended-on user profiles. Now that you've done the upfront work, you're ready to delete your user profile. You can delete profiles by using either iSeries Navigator or the green screen. For iSeries Navigator, open the Users and Groups and All Users nodes, and highlight the profile that you want to delete. Right-click the profile and choose Delete from the pop-up menu that appears. A Delete User panel will appear, with three radio buttons that tell OS/400 what to do with objects the user profile owns. The Do not delete if user owns objects button tells OS/400 to leave any owned objects alone and to retain the user profile if that user owns any objects. The Delete objects that user owns button tells OS/400 to delete all owned objects as it axes the user profile. And the Transfer objects to another user button tells OS/400 to transfer ownership to another user profile that you can select from a list. Once you make your selection and press the OK button, the user profile will be deleted and the owned objects will be changed, depending on which parameters you selected. The user profile deletion process is similar to deleting profiles on the green screen. The big difference is that you use the Delete User Profile (DLTUSRPRF) command in one of the following three configurations:
DLTUSRPRF USRPRF(user profile) OWNOBJOPT(*NODLT) DLTUSRPRF USRPRF(user profile) OWNOBJOPT(*DLT) DLTUSRPRF USRPRF(user profile) OWNOBJOPT(*CHGOWN new user_profile)

In the first example, the user profile will be deleted, provided that it doesn't own any objects. The second example will delete the user profile and all objects that it owns, while the third example will delete the user profile and transfer any objects it owns to another user profile. At this point, you're finished. The user profile has been safely deleted and most objects that were affected by the profile have been modified to account for the profile's absence. This technique will take care of most user profile deletion scenarios.

Click here to contact Joe Hertvik by e-mail.

=====================================================================================

Admin Alert: Six Things Power i Administrators Need to Know

Published: February 17, 2010

by Joe Hertvik To become an effective i/OS system administrator, you need to access a lot of information. This week, I'll look at some of the more valuable pieces of information I frequently use to service my Power i systems and how I retrieve and maintain that information. Perhaps you can use this list as a starting point for collating your own critical i/OS knowledge base. Serial Number, Processor Group, and Machine Type It seems like outside vendors always ask for the serial number of the machine I'm working on. The system Processor Group (otherwise known as P Group, which is used for maintenance contracts and third-party software) and machine type are also often needed, so it's helpful to know where to find them. To retrieve a system's serial number and P group from the green screen, type in the Work with License Information (WRKLICINF) command. You can also find the serial number by running the following Display System Value (DSPSYSVAL) command to read the contents of the System serial number system value (QSRLNBR).
DSPSYSVAL SYSVAL(QSRLNBR)

To retrieve the serial number in iSeries Navigator (OpsNav), open the Configuration and ServiceSystem Values node and select the System and User Defaults option that appears in the right-hand pane. This screen displays the serial number, model number, and processor feature code of your machine. The machine type is necessary when calling for IBM service. You can find this information off the Service Registration Information screen. To reach this screen, open the Electronic Service Agent menu by typing in this Go to Menu (GO) command.
GO MENU(SERVICE)

Select option 6, Display Service Registration Information, off the Service menu and the serial number and the machine type will appear on this screen. To find the serial number-machine type combination inside OpsNav, rightclick on the node representing your system in OpsNav and select Properties off the pop-up menu that appears. This will show you the System Properties screen for that partition. Click on the General tab on this screen and OpsNav will display the machine type, model, serial number, and i/OS version of your operating system software. For more information on retrieving these and other common i/OS system values that vendors frequently ask for, see my article on retrieving system control information. Operating System Level To retrieve your OS level, do the following: 1. Run the Display Software Resources (DSPSFWRSC) command from a green-screen command line. 2. Press the F11=Display libraries/releases key. The screen will show you the release level for every piece of licensed software registered on your machine. Look at the very top entry (for i/OS V5R4Mx, it's the 5722999 entry) and that displays the partition's release level. For i/OS V5R4Mx, you can also get the OS level by running the following Display PTF (DSPPTF) command.
DSPPTF LICPGM(5722999)

The information will be displayed at the top of the screen.

You can find this information in OpsNav by looking at the System Properties screen for your partition as I described in the "Serial Number, Processor Group, and Machine Type" section. Phone Numbers to Program Into Your Cell Phone As an administrator, it's handy to have the following numbers programmed into your cell phone, because system problems don't always occur while you're in the shop. IBM Technical Support: 1-800-426-7378 in the U.S. IBM Business Partner phone numbers. Numbers for any IBM technicians who frequently visit your shop. Number for your third-party media management service, in case you need to retrieve backup media during an emergency. Company direct-dial number to your corporate Help Desk. Direct-dial number to check voicemail messages and keystrokes to access your mailbox while out of the office.

Critical Documents To Keep Off-Site You may also want to consider keeping copies of your critical documents off-site, where they can be recovered during an emergency. By doing this, if the computer room or offices are unavailable during a flood, earthquake, natural disaster, explosion, etc., you'll still be able to access the documents and procedures that will help you restore the system. For example, we keep a copy of the Capacity BackUp (CBU) system run book (used for activating the CBU) at the remote site where the CBU resides. Some of our i/OS administrators also keep a copy of the run book in their cars. You will also want to keep copies of the disaster recovery plan in an off-site location. Keypad Sequences for Getting IBM Technical Support Once you call IBM support, there are two different sequences for calling either IBM hardware or software technical support. For hardware service calls, press the following telephone keys in sequence. Press 2: Other business products and solutions Press 1: Hardware The automated system will ask you for your four-digit machine type. Press 1: For new service request For software service calls, press the following keys. Press 2: Other business products and solutions Press 2: Assistance with software Press 1: Software support for operating systems Depending on your service contract, you may be able to call IBM technical support for more than emergency service calls. There have been times that I've called IBM when I'm trying to figure out how to make some tricky technical configurations on the system. If you have a service contract, IBM tech support can sometimes point you in the right direction when you need configuration or programming help. Printing a Rack Configuration When adding new hardware to your system, you will frequently have to produce a rack configuration (rack config). A rack config is a physical listing of all hardware components that comprise your iSeries, System i, or Power i. It's basically a roadmap of your entire system. Hardware vendors use the rack config to determine which components can be added to your systems and identify which components will need to be removed, rearranged, or used to support the new components. Follow these steps to print a rack config on a partitioned system. 1. Sign into and bring up the System Service Tools (SST) menu by running the Start System Service Tools (STRSST) command.

2. 3. 4. 5.

Sign into SST by using an SST user ID and password that has access privileges to use SST's Hardware Service Manager feature. From the SST screen, take option 1, Start a Service Tool. On the Start a Service Tool screen, take option 7, Hardware Service Manager. On the Hardware Service Manager screen, press F6=Print Configuration to print the rack config. Fill in the Print Format Options on the screen that appears and press the enter key.

This sequence will print out a partition rack configuration to your default output queue, where you can either print or email it to your hardware provider. If you have multiple partitions on your machine, don't forget to print out rack configs for each partition, so the vendor can have a complete view of your system. For more information on rack configurations, see my article on printing and emailing a rack config.