No - QUSER not only does not need any special authorities, but it is dangerous to assign them. QUSER is used by IBM as a default user ID on several communication processes, and having that user ID carry special authorities will expose your system to new, and more dangerous, threats. For example, if you have configured SNA communications on your system, the usually default configuration allows remote DDM commands to run under QUSER's authority -- often without requiring a password.
Not only should you not give this profile special authority, you should avoid using it in your own applications and leave it for IBM. You're less likely to have problems that way, and less likely to open new exposures by changing the characteristics of this profile.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
The UPPWEI field corresponds to the password expiration interval field, and its values "0" and "-1" represent the *SYSVAL and *NOXMAX commands. Continue Reading