To continue reading for free, register below or login
To read more you must become a member of Search400.com
If users require *ALLOBJ, they should be given *ALLOBJ in their own profiles or made a member of QSECOFR. This way, the i5/OS audit journal entries will log the actual user performing each function. (These users, along with the QSECOFR profile, should be audited. In other words, turn on *CMD auditing by running the CHGUSRAUD command.)
The only time they should be signing on with QSECOFR is when the actual profile "QSECOFR" is required, such as when upgrading the system or when an non-security-conscious vendor inappropriately requires you to be signed on with "QSECOFR" to install their product. For most i5/OS functions, it is sufficient to be signed on with a profile that has the required special authorities (such as *ALLOBJ and *SECADM).
In the rare case that the actual QSECOFR profile is required, there is virtually no way to guarantee that you can determine who is using the profile when more than one user knows the QSECOFR password; therefore, you will want to very tightly control who has the password and when it is used, and change it immediately.
|
