IBM Support

Auditing User Profile Deletions and Associated Object Deletes on IBM i

How To


Summary

This document describes an IBM i SQL-based auditing solution that uses the SYSTOOLS.AUDIT_JOURNAL_DO table function to identify deleted user profiles (*USRPRF) and any objects that were deleted as part of the same delete operation. The report correlates delete operations using the QUALIFIED_JOB_NAME, which represents the job responsible for both the profile deletion and the associated object deletions.

Objective

When a user profile is deleted on IBM i, the operating system can automatically delete objects owned by that profile when the *DLT option is specified on the DLTUSRPRF command. These actions are recorded in the system audit journal as DO (Delete Operation) entries. This solution provides a repeatable and auditable method to report:
 
  • Which user profiles were deleted
  • Who deleted them
  • Which job performed the delete

  • Which objects were deleted as part of the same operation

     

Environment

  • System security auditing must be enabled (QAUDCTL not *NONE).
  • Auditing for Delete Operations (*DELETE value) must be active.
  • IBM i 7.4 or later with Audit Journal SQL Services available.

  • Authority to query SYSTOOLS audit journal services.

     

Steps

Audit Journal Service Used

This solution uses the table function

This service returns rows from the system audit journal that correspond to DO (Delete Operation) entries. 

Correlation Strategy

All deletions performed during a user profile delete occur within the same job. The QUALIFIED_JOB_NAME column is therefore used to correlate the *USRPRF delete entry with subsequent object delete entries written by the same job.
 

SQL Report Definition

The following SQL statement reports newly created user profiles along with key attributes assigned at creation time.  The query correlates CO and CP audit entries using the profile name and timestamp sequencing.

Using the Run SQL Scripts tool, run the following SQL Statement:

WITH Deleted_Profiles AS (
    SELECT
        ENTRY_TIMESTAMP        AS PROFILE_DELETE_TIMESTAMP,
        OBJECT_NAME            AS USER_PROFILE,
        QUALIFIED_JOB_NAME,
        USER_NAME              AS DELETING_USER
    FROM TABLE (
        SYSTOOLS.AUDIT_JOURNAL_DO(
            STARTING_TIMESTAMP => CURRENT_TIMESTAMP - 7 DAYS
        )
    ) AJ
    WHERE OBJECT_TYPE = '*USRPRF'
      AND ENTRY_TYPE IN ('A', 'C')
),

Deleted_Objects AS (
    SELECT
        ENTRY_TIMESTAMP        AS OBJECT_DELETE_TIMESTAMP,
        OBJECT_LIBRARY,
        OBJECT_NAME,
        OBJECT_TYPE,
        OBJECT_ATTRIBUTE,
        PATH_NAME,
        ENTRY_TYPE,
        QUALIFIED_JOB_NAME
    FROM TABLE (
        SYSTOOLS.AUDIT_JOURNAL_DO(
            STARTING_TIMESTAMP => CURRENT_TIMESTAMP - 7 DAYS
        )
    ) AJ
    WHERE OBJECT_TYPE <> '*USRPRF'
      AND ENTRY_TYPE IN ('A', 'C', 'P')
)

SELECT
    P.USER_PROFILE              AS DELETED_USER_PROFILE,
    P.DELETING_USER             AS DELETED_BY_USER,
    P.QUALIFIED_JOB_NAME        AS DELETE_JOB,
    O.OBJECT_LIBRARY,
    O.OBJECT_NAME,
    O.OBJECT_TYPE,
    O.OBJECT_ATTRIBUTE,
    O.PATH_NAME,
    O.ENTRY_TYPE                AS DELETE_ENTRY_TYPE,
    O.OBJECT_DELETE_TIMESTAMP
FROM Deleted_Profiles P
LEFT JOIN Deleted_Objects O
  ON O.QUALIFIED_JOB_NAME = P.QUALIFIED_JOB_NAME
ORDER BY
    P.USER_PROFILE,
    O.OBJECT_DELETE_TIMESTAMP;

 

NOTES:

  • The STARTING_TIMESTAMP parameter should be adjusted as needed for historical reporting. 
  • The report defaults to showing activity from the last seven days.
  • Execution time for this SQL statement may vary depending on the size of the audit journal and the time range specified.
  • The report includes both Library Type objects and IFS files.

 

Sample Report

DELETED_USER_PROFILEDELETED_BY_USERDELETE_JOBOBJECT_LIBRARYOBJECT_NAMEOBJECT_TYPEOBJECT_ATTRIBUTEPATH_NAMEDELETE_ENTRY_TYPEOBJECT_DELETE_TIMESTAMP
HUGOQSECOFR503156/V6CASTIL/QPADEV003GQUSRSYSHUGO2*MSGQ  A4/3/2026 9:36
HUGOQSECOFR503156/V6CASTIL/QPADEV003GV6CASTILQAUDITCA*FILEPF-DTA A4/3/2026 9:36
HUGOQSECOFR503156/V6CASTIL/QPADEV003GV6CASTILQAUDITAF*FILEPF-DTA A4/3/2026 9:36
HUGOQSECOFR503156/V6CASTIL/QPADEV003G  *STMF /home/v6castil/testdir/2.testA4/3/2026 9:36
HUGOQSECOFR503156/V6CASTIL/QPADEV003G  *STMF /QTCPTMM/QUEUE/DSTL.LCKA4/3/2026 9:36
HUGOQSECOFR503156/V6CASTIL/QPADEV003G  *STMF /QTCPTMM/QUEUE/USERS.LCKA4/3/2026 9:36
YOANTESTYBOYCHEV487260/YBOYCHEV/DLTUSRPRFQUSRSYSYOANTEST*MSGQ  A3/13/2026 10:01
YOANTESTYBOYCHEV487260/YBOYCHEV/DLTUSRPRF  *STMF /QTCPTMM/QUEUE/DSTL.LCKA3/13/2026 10:01
YOANTESTYBOYCHEV487260/YBOYCHEV/DLTUSRPRF  *STMF /QTCPTMM/QUEUE/USERS.LCKA3/13/2026 10:01
YOANTESTYBOYCHEV487275/YBOYCHEV/DLTUSRPRF  *STMF /QTCPTMM/QUEUE/DSTL.LCKA3/13/2026 10:08
YOANTESTYBOYCHEV487275/YBOYCHEV/DLTUSRPRF  *STMF /QTCPTMM/QUEUE/USERS.LCKA3/13/2026 10:08

 

Report Output Description

Each row in the report represents an object deletion that occurred as part of a user profile deletion. The key columns are:

  • DELETED_USER_PROFILE: The name of the deleted user profile
  • DELETED_BY_USER: The user profile that initiated the delete
  • DELETE_JOB: The qualified job name that executed the delete
  • OBJECT_LIBRARY: Library containing the deleted object (NULL for some types)
  • OBJECT_NAME: Name of the deleted object
  • OBJECT_TYPE: Type of object deleted (*FILE, *PGM, etc.)
  • OBJECT_ATTRIBUTE: Object attribute, when applicable
  • PATH_NAME: IFS path for stream files and directories
  • OBJECT_DELETE_TIMESTAMP: Timestamp of the object deletion

Use Cases

  • Security and compliance audits
  • Verification of user provisioning standards
  • Detection of Deleted Objects at the time a profile is deleted/
  • Incident response and forensic investigations

Conclusion

Using Audit Journal Services provides a reliable and fully supported method for reporting on user profile delete operations and the objects removed as part of those operations. This SQL‑based approach requires no exit programs, triggers, or permanent database objects and aligns with IBM i auditing and security best practices.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"and future releases;7.4.0;7.5.0;7.6.0"}]

Document Information

Modified date:
28 April 2026

UID

ibm17268633

Page Feedback