The special user profiles on your system that are set up as security officers really do have the keys to the kingdom when it comes to accessing your system. No files, programs, data objects, files in the IFS, and more are safe from access by someone who is logged onto your system from one of these user profiles. Keeping these profiles limited to certain devices is a good objective so that someone using them will be under direct supervision.
The best way to approach this is through a combination of object security configuration on your terminal device descriptions along with a varied setting for the system value QLMTSECOFR. Your system will come from the factory with this system value set to '0' which lets anyone with *ALLOBJ authority sign on to any old terminal. Changing this to '1' will let only the security officer sign on to a terminal where they have specific authority granted at the device description level.
BUT --- WARNING WARNING WARNING --- don't go rushing off to make this change! You must first get it set up and test it before adopting it as practice could result in your security officer profile getting permanently locked out of your system, and you don't want that situation on your hands.
Your first step is to identify the device description object for your system console and make sure that QSECOFR is expressly granted permission to use the object (i.e.: *ALL authority). The device descriptions on your system are all stored in the QSYS library with object type of *DEVD. You can make changes in the authorities for the object using the Edit Object Authority (EDTOBJAUT) command. When your console device has been updated, find the backup console device description too (on most systems, it is called QCONSOLE) and do the same thing there.
To test this setup, sign on as QSECOFR on a normal terminal and leave that session active for the duration of your test. That way, if things go south on you, you still have an active security officer session to fall back on to make changes. With this backup session active, make the changes to the system value and the device descriptions. If you have an old twin-ax console, turn it off and then back on. In either case, vary the console device off and then back on too to make sure you're using the updated authorities for the device. Then, make sure that you can sign on from the console using the security officer profile.
Assuming that all is OK, then you'll need to scour your system for the other terminal device descriptions to make sure that the security officer profile is not authorized for any of them. Once this is done, then try to sign on as the security officer on another terminal, it should be denied.
Only when you're satisfied that everything is working as planned should you release the security officer session that you've been holding open as your back door.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.