The only time they should be signing on with QSECOFR is when the actual profile "QSECOFR" is required, such as when upgrading the system or when an non-security-conscious vendor inappropriately requires you to be signed on with "QSECOFR" to install their product. For most i5/OS functions, it is sufficient to be signed on with a profile that has the required special authorities (such as *ALLOBJ and *SECADM).
In the rare case that the actual QSECOFR profile is required, there is virtually no way to guarantee that you can determine who is using the profile when more than one user knows the QSECOFR password; therefore, you will want to very tightly control who has the password and when it is used, and change it immediately.
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
On AS/400, the journal type AF subtype K, shows that a user profile lacks the special authority required by the function attempting to run. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.