WARNING ~ Any changes to QSECOFR configuration must be tested exhaustively to make sure QSECOFR profile is not permantently locked out of the system.
It might make sense to limit logins from powerful user profiles like QSECOFR to specific devices. You can do this with terminal device descriptions and the QLMTSECOFR system value.
The default system value set to '0' which lets anyone with *ALLOBJ authority sign on to any terminal session. Changing this to '1' will only let the security officer signon to a terminal session where they have specific authority granted at the device description level.
- Identify the device description object for your system console and make sure that QSECOFR is expressly granted permission to use the object (ie: *ALL authority)
- Device descriptions are stored in the QSYS library with object type of *DEVD
- Use "Edit Object Authority" (EDTOBJAUT) to change the authorities for the object.
- Also update the backup console device description (on most systems, it is called QCONSOLE)
Testing the configuration:
- Sign on as QSECOFR on a normal terminal session and leave that active for the duration of your test. **IMPORTANT: leaving this session active gives you a fall back position if the configuration test fails.
- Update system values and device descriptions as outlined above.
- Toggle the console device off/on to make sure it's using the updated authorities.
- Confirm you can login from the console using QSECOFR
- Check all terminal device descriptions to make sure QSECOFR is not authorized on them.
- When everything is confirmed, release the open QSECOFR session from step 1.