Establishing user accountability in AS400

If three administrators need to use QSECOFR, what is the best way to audit their activities? In other words, what can be done in AS400 to establish user accountability so that we know which one of the three admins logged on and used this powerful user profile?
If users require *ALLOBJ, they should be given *ALLOBJ in their own profiles or made a member of QSECOFR. This way, the i5/OS audit journal entries will log the actual user performing each function. (These users, along with the QSECOFR profile, should be audited. In other words, turn on *CMD auditing by running the CHGUSRAUD command.)

The only time they should be signing on with QSECOFR is when the actual profile "QSECOFR" is required, such as when upgrading the system or when an non-security-conscious vendor inappropriately requires you to be signed on with "QSECOFR" to install their product. For most i5/OS functions, it is sufficient to be signed on with a profile that has the required special authorities (such as *ALLOBJ and *SECADM).

In the rare case that the actual QSECOFR profile is required, there is virtually no way to guarantee that you can determine who is using the profile when more than one user knows the QSECOFR password; therefore, you will want to very tightly control who has the password and when it is used, and change it immediately.

This was first published in August 2007

Back to top