I'm the information security officer for a local bank and I have run into an issue regarding SECOFR user IDs. Here's my scenario: The IS people have assigned QSECOFR user IDs to two of my users for the sole purpose of resetting user IDs when there is an issue with a password. I read somewhere that there is a "SecureAdmin" User ID that can be established on OS/400 environment that allows the user to only reset passwords and such. Can you provide me any insight to this issue?
Users definitely do not need to be given "QSECOFR" IDs just to administer profiles. You must give the administrators *SECADM special authority. This is required to create, change, delete, etc user profiles. (*ALLOBJ special authority is NOT required.) This should be all they need to administer profiles. However, problems will arise if more than one individual needs to administer (e.g., reset passwords for) the same set of user profiles. If one administrator creates a profile, the other administrator will not have authority to administer the profile. So you can do one of two things -- create a profile whose purpose in life is to own profiles –- I'll call it PROFOWN. Then create a CL program that administrators run. The program is owned by and adopts PROFOWN. Within the CL program, the profile is created and then the ownership is transferred to PROFOWN. Other tools can then be created that adopt PROFOWN that will reset passwords and enable profiles. This way, no user owns the profiles and tools can be written to allow maintenance. Another method is to have the user profiles owned by the group profile that the users administering profiles belong to. Having the administrators' group own the profiles provides the ability for any member of that group to have sufficient authority to be able to manage the profiles.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
When error messages arise concerning attempts to use a permanent system object without authority, find the source of the issue by looking for an AF ... Continue Reading