If a user has the QSECOFR class assigned to them but has the special authority *SECADM removed, does the user still have *SECADM abilities because they are assigned to the QSECOFR class?
A lot of confusion surrounds the User class of a profile. I don't know how this idea started, but many people are under the impression that the User class carries more meaning than it does. OS/400 only uses User class for three things on the system 1- to default the special authorities given to the profile when the profile is created, 2- to determine what OS/400 menu options the user sees and 3- to determine how to adjust the special authorities for users when moving from security level 20 to levels 30, 40 or 50 (at security level 20, all profiles, by default, are given *ALLOBJ and *SAVSYS, so OS/400 removes these based on the User class when the system level changes.)
A user can be in the *SECOFR user class and have no special authorities or the user can be in the *USER user class and have all of the special authorities. It really doesn't matter. OS/400 never checks the User class when it is looking to see if a user has sufficient authority to access an object or is looking to see if a user has a specific special authority.
That said, let's look at your question. You ask if a user is assigned to the "QSECOFR class" whether they still have *SECADM capabilities because they are in this class. First a bit of clarification -- there is no "QSECOFR class" so I'm guessing that you mean the *SECOFR User class. Next, as I explained above, OS/400 is going to look to see if the user has *SECADM special authority -- it is not going to look at the user profile's User class. So despite the fact that the user is in the *SECOFR User class, the user does not have *SECADM capabilities.
Dig Deeper on iSeries system documentation and support
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
When error messages arise concerning attempts to use a permanent system object without authority, find the source of the issue by looking for an AF ... Continue Reading