Versions Compared

Version Old Version 3 New Version 4
Changes made by

Brian Nordland

Brian Nordland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

PowerHA has introduced a new policy, QHA_AD_ANZCADPRF, and command (ANZCADPRF)
which analyzes and caches usage information across nodes in the PowerHA environment. This
capability enables users to meet security policies of disabling inactive profiles on all nodes while
avoiding auditing concerns that exist with other High Availability solutions.

Panel
panelIconIdatlassian-light_bulb_on
panelIcon:light_bulb_on:
panelIconText:light_bulb_on:
bgColor#E3FCEF

This process replaces the ANZPRFACT process in your environment. The ANZPRFACT command works on a different model, see the Migrating from the ANZPRFACT Process section for additional information.

Before you begin

To disable inactive user profiles successfully, the following requirements must be met:

...

Note

Important: The command ANZCADPRF should be scheduled to run at a regular interval with a job scheduler. This command only needs to be run on a single node within the administrative domain.

Results

All user profiles across all nodes within the administrative domain, including profiles not monitored by the administrative domain, are analyzed. Any inactive user profiles are disabled and messages are sent to the joblog and QSYSOPR message queue

Migrating from the ANZPRFACT Process

If the environment was previously using the ANZPRFACT process for disabling inactive profiles, the following section provides additional information on the differences and the migration process.

The operating system supplied ANZPRFACT command, combined with the CHGACTPRFL comamnds allows for specifying the user profiles to omit and inactive days and will also create a scheduled job entry for disabling inactive profiles. The PowerHA ANZCADPRF command works in a different way in that the QHA_AD_ANZCADPRF policy is used to specify profiles to omit and inactive days, and the ANZCADPRF command should be run from a job scheduler.

The following steps serve as a guide for migrating from the ANZPRFACT command:

  1. Remove the scheduled job entry from your job scheduler on all nodes within the administrative domain.

  2. Create a QHA_AD_ANZCADPRF PowerHA policy specifying the number of days before a profile is considered inactive, along with the list of profiles to omit.

  3. Schedule the ANZCADPRF command to run.

Panel
panelIconIdatlassian-light_bulb_on
panelIcon:light_bulb_on:
panelIconText:light_bulb_on:
bgColor#E3FCEF

The ANZCADPRF command works across all nodes in the administrative domain, for both profiles within the administrative domain and profiles that are not in the administrative domain. Therefore, this command only needs to be scheduled to run on one node within the administrative domain.