Versions Compared

Version Old Version 2 New Version Current
Changes made by

Brian Nordland

Brian Nordland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

PowerHA has introduced a new policy, QHA_AD_ANZCADPRF, and command (ANZCADPRF)
which analyzes and caches usage information across nodes in the PowerHA environment. This
capability enables users to meet security policies of disabling inactive profiles on all nodes while
avoiding auditing concerns that exist with other High Availability solutions.

Panel
panelIconIdatlassian-light_bulb_on
panelIcon:light_bulb_on:
panelIconText:light_bulb_on:
bgColor#E3FCEF

This process replaces the ANZPRFACT process in your environment. The ANZPRFACT command works in very different way from the ANZCADPRF process. See the section titled Migrating from the ANZPRFACT Process for additional information.

Before you begin

To disable inactive user profiles successfully, the following requirementsmust requirements must be met:

  • The node executing the command must have a status of Active in the cluster.

  • The cluster administrative domain must exist and have a status of Active.

  • The following special authorities are required to run the ANZCADPRF command:

    • All object (*ALLOBJ)

    • Input/ Output system configuration (*IOSYSCFG)

    • Security administrator (*SECADM)

...

Defining the QHA_AD_ANZCADPRF Policy

A QHA_AD_ANZCADPRF PowerHA policy must be defined for the administrative domain. This
policy must specify the number of days before a profile is considered inactive, and optionally can
specify profiles to always consider inactive.

...

Tip

Tip: Many IBM supplied user profiles are already omitted by default. See the QHA_AD_ANZCADPRF policy for the list of profiles omitted by default.

...

Note

Important: The command ANZCADPRF should be scheduled to run at a regular interval with a job scheduler. This command only needs to be run on a single node within the administrative domain.

Results

All user profiles across all nodes within the administrative domain, including profiles not monitored by the administrative domain, are analyzed. Any inactive user profiles are disabled and messages are sent to the joblog and QSYSOPR message queue

Migrating from the ANZPRFACT Process

If the environment was previously using the ANZPRFACT process for disabling inactive profiles, the following section provides additional information on the differences and the migration process.

The operating system supplied ANZPRFACT command, combined with the CHGACTPRFL comamnds allows for specifying the user profiles to omit and inactive days and will also create a scheduled job entry for disabling inactive profiles. The PowerHA ANZCADPRF command works in a different way in that the QHA_AD_ANZCADPRF policy is used to specify profiles to omit and inactive days, and the ANZCADPRF command should be run from a job scheduler.

The following steps serve as a guide for migrating from the ANZPRFACT command:

  1. Remove the scheduled job entry from your job scheduler on all nodes within the administrative domain.

  2. Create a QHA_AD_ANZCADPRF PowerHA policy specifying the number of days before a profile is considered inactive, along with the list of profiles to omit.

  3. Schedule the ANZCADPRF command to run.

Panel
panelIconIdatlassian-light_bulb_on
panelIcon:light_bulb_on:
panelIconText:light_bulb_on:
bgColor#E3FCEF

The ANZCADPRF command works across all nodes in the administrative domain, for both profiles within the administrative domain and profiles that are not in the administrative domain. Therefore, this command only needs to be scheduled to run on one node within the administrative domain.