Manage Learn to apply best practices and optimize your operations.

Establishing user accountability in AS400

Expert Carol Woodbury explains what can be done in AS400 to establish accountability for users logged on to the QSECOFR profile.

If three administrators need to use QSECOFR, what is the best way to audit their activities? In other words, what can be done in AS400 to establish user accountability so that we know which one of the three admins logged on and used this powerful user profile?
If users require *ALLOBJ, they should be given *ALLOBJ in their own profiles or made a member of QSECOFR. This way, the i5/OS audit journal entries will log the actual user performing each function. (These users, along with the QSECOFR profile, should be audited. In other words, turn on *CMD auditing by running the CHGUSRAUD command.)

The only time they should be signing on with QSECOFR is when the actual profile "QSECOFR" is required, such as when upgrading the system or when an non-security-conscious vendor inappropriately requires you to be signed on with "QSECOFR" to install their product. For most i5/OS functions, it is sufficient to be signed on with a profile that has the required special authorities (such as *ALLOBJ and *SECADM).

In the rare case that the actual QSECOFR profile is required, there is virtually no way to guarantee that you can determine who is using the profile when more than one user knows the QSECOFR password; therefore, you will want to very tightly control who has the password and when it is used, and change it immediately.

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.