IBM Power Ideas Portal


This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Delivered
Workspace IBM i
Categories Security
Created by Guest
Created on Jan 18, 2019

RELATED IDEAS

Provide warning when a user profile approaches maximum total user profile internal entries

Provide warning when a user profile approaches maximum total user profile internal entries, which is approximately 50 million entries. This number is the sum of owned object, private authority, authorized user, and primary group entries for any one user profile.


Use Case:

We recently had a service account hit the 50 million entries mark, and while it only caused a brief interruption in our business, it was an interruption that would have been avoided had we received a warning.


Idea priority Medium
  • Guest
    Reply
    |     May 3, 2022
    Each user profile has a separate maximum total number of user profile entries for the basic auxiliary storage pool and each independent auxiliary storage pool. In IBM i 7.5 these maximums were increased from 50,000,000 to 200,000,000 (see Security Limits: https://www.ibm.com/docs/en/i/7.5?topic=capacities-security-limits). Also in IBM i 7.5 message CPI147D (User profile &1 nearing authority entry limit) is sent to the history log QHST when a user profile reaches 90% of the maximum number of authority entries for an auxiliary storage pool (ASP). The message is sent once when the 90% threshold is reached for an ASP and again each time the percentage drops below 85% and then reaches 90%.

    An example of the CPI147D message:

    Message ID . . . . . . : CPI147D Severity . . . . . . . : 10
    Message type . . . . . : Information
    Date sent . . . . . . : 04/01/22 Time sent . . . . . . : 09:35:58

    Message . . . . : User profile &1 nearing authority entry limit.
    Cause . . . . . : &2 percent of the maximum available authority entries
    for user profile &1 on auxiliary storage pool (ASP) &4, number &3
    have been used.
    Recovery . . . : No recovery is necessary at this time. This limit applies
    only to the indicated ASP. You can use the Print Profile Internals
    (PRTPRFINT) or Dump User Profile (DMPUSRPRF) command to see the types of
    authority entries in use by this profile for each ASP. The authority entry
    count is the sum of: (1) objects owned by this profile, (2) objects for
    which this profile has been assigned specific private authority, (3) other
    profiles assigned specific private authorities to each object owned by this
    profile, and (4) objects for which this profile is the primary group. The
    Display User Profile (DSPUSRPRF) command may be used to see if any objects
    should be deleted, reassigned ownership, or have specific private
    authorities removed.

    IBM Power Systems Development
  • Guest
    Reply
    |     Dec 14, 2021

    The CAAC has reviewed this requirement and recommends that IBM view this as a medium priority requirement that should be addressed. The work-arounds mentioned below are great, but a warning message would really nail it.

    Background: The COMMON Americas Advisory Council (CAAC) members have a broad range of experience in working with small and medium-sized IBM i customers. CAAC has a key role in working with IBM i development to help assess the value and impact of individual RFEs on the broader IBM i community, and has therefore reviewed your RFE.

    For more information about CAAC, see www.common.org/caac

    Nancy Uthke-Schmucki - CAAC Program Manager

  • Guest
    Reply
    |     Jan 4, 2021

    A work around for this issue was released in APAR MA48712 via PTFs:
    7.4: MF68101
    7.3: MF68099
    7.2: MF68098

    The PTF will create a VL0B003009 VLOG when a profile index exceeds 90% full for an IASP or SYSBAS. The vlog will identify the profile name, ASP number (in hex), and the current entry counts (in hex).

    Here is an example vlog which identifies profile TESTPRF1 on IASP 0x23 exceeds 90% full with 0x02F00001 entries (0x02F00000 owned objects entries and 0x01 authorized object entries).

    LIC LOG ENTRY ID 01001337 TYPE 0B00 (AUTHORITY ) 3009 NOTE SIZE 02C4 DUMP SIZE 000A66 TIME STAMP 12/03/20 14:38:37
    USER PROFILE EXTENSION NEARLY FULL
    USER PROFILE NAME
    DUMP ITEM
    EA146B9D6C FF9000 DISK UNIT 0001 DISK PAGE 00731939
    EA146B9D6C FF9600 E3C5E2E3D7D9C6F1 * TESTPRF1*
    EA146B9D6C FF9620 4040404040404040 4040404040404040 404040404040 * *
    ASP NUMBER
    DUMP ITEM
    +0000 0023 *.. *
    OWNED OBJ CNT
    DUMP ITEM
    +0000 02F00000 *.0.. *
    AUTH OBJ CNT
    DUMP ITEM
    +0000 00000001 *.... *
    AUTH USER CNT
    DUMP ITEM
    +0000 00000000 *.... *
    PRIM GRP CNT
    DUMP ITEM
    +0000 00000000 *.... *

  • Guest
    Reply
    |     May 13, 2019

    When looking at the documentation of the System Limits table I found the following section:
    ==================================================================================================
    For the most important system resources, the IBM i operating system automatically tracks the highest consumption and consumers.

    The IBM i operating system is comprised of many products and components. As an integrated operating system, not only do the products and components frequently rely upon each other, but common building blocks and resources are used. Some of the resources are deemed to be critical because their proper use and consumption is directly related to achieving continued, normal operational behavior. The repository for this tracking lies within DB2 for i.
    ==================================================================================================
    Being a non native speaker, my judgment might be wrong, but given this RFE I see no room for an argument that this maximum number of internal entries should not be a part of this table.

    As always feel 100 % free to disagree.

    Greetings Rudi

  • Guest
    Reply
    |     May 10, 2019

    IBM will use this request as input to planning but no commitment is made or implied. This request will be updated in the future if IBM implements it. IBM will use votes and comments from others in the community to help prioritize this request.

    Workaround:
    Run the PRTPRFINT command periodically to monitor how full profiles are getting.
    PRTPRFINT SELECT(*PCTFULL) PCTFULL(75)
    This would print all profiles that are at least 75% full to a spooled file. Percent value ranges from 0.01 - 100.00.

  • Guest
    Reply
    |     Mar 13, 2019

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - Servers and Systems Software
    Product family - Power Systems
    Product - IBM i
    Component - Security
    Operating system - IBM i
    Source - None

    For recording keeping, the previous attributes were:
    Brand - Servers and Systems Software
    Product family - Power Systems
    Product - IBM i
    Component - Core OS
    Operating system - IBM i
    Source - None

  • Guest
    Reply
    |     Feb 18, 2019

    The COMMON Europe Advisory Council (CEAC) has reviewed this requirement and recommends that IBM view this as a medium priority requirement that should be addressed.

    Background: The CEAC members have a broad range of experience in working with small and medium-sized IBM i customers. CEAC has a crucial role in working with IBM i development to help assess the value and impact of individual RFEs on the broader IBM i community and has therefore reviewed your RFE.

    To find out how CEAC help to shape the future of IBM i, see CEAC @ ibm.biz/BdYSYj and the article "The Five Hottest IBM i RFEs Of The Quarter" at ibm.biz/BdYSZT

    Therese Eaton – CEAC Program Manager, IBM

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.