RE: How do you manage your QSECOFR profile and other Q profiles? -- MIDRANGE-L

John,
Here is a third.

When you need to reset the password on the DST QSECOFR password, in
order to run the command, CHGDSTPWD, you must be signed on as QSECOFR.
Someone with QSECOFR-like privileges just won't do.

Pete

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John Earl
Sent: Monday, August 11, 2008 7:51 PM
To: Midrange Systems Technical Discussion
Subject: RE: How do you manage your QSECOFR profile and other Q profiles?

Bryan,

There are only two times that you need the QSECOFR Password:
1) When loading or reloading the OS
2) When some ignorant vendor product checks to see if you are signing on
with QSECOFR in order to load their product. :(

At all other times a facsimile profile will work just fine. It's a good
idea to minimize the use of the QSECOFR profile anyway because you
reduce the chances of breaking it or getting it corrupted on you.

That being said, I would change it's password expiration Interval to
*NOMAX, store it in a sealed envelope in a safe place (like a safe) and
then change it after each use.

All other IBM profiles (QSYSOPR, QPGMR, QUSER, QSRV, QSRVBAS, etc) you
can change to password of *NONE). When you actually need them, you can
have a Security Officer give them a password.

The next question is how to secure the other profiles that are
facsimiles (have all eight Special Authorities) of QSECOFR. But lucky
for you I'll bet your Auditor is not checking that :)

jte

--

John Earl, VP and Chief Technology Officer
PowerTech: 253-872-7788
Direct: 253-479-1408
Mobile: 206-669-3336
John.Earl@xxxxxxxxxxxxx

Email is an excellent way to communicate material that is not time
sensitive. If your communication is of a more urgent nature, please
call.

===========================
This email message and any attachments are intended only for the use of
the intended recipient named above and may contain information that is
privileged and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message or by telephone and delete the
message from your email system. Thank you.

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Burns, Bryan
Sent: Monday, August 11, 2008 12:40 PM
To: MIDRANGE-L@xxxxxxxxxxxx
Subject: How do you manage your QSECOFR profile and other Q profiles?

We have a small shop and the five of us - two developers, an
administrator, a manager and a VP - all have powerful enough
profiles that we rarely need to sign on as QSECOFR or any
other Q profile.

Because of the powerful profiles we have, we don't really
have a policy on usage of the QSECOFR profile but I need to
write a policy and manage the QSECOFR profile properly.
What's the best practice here? Should just one person know
it and keep it a record of it in the safe, so if he's not
here, someone can at least get at it?

What about changing it? It seems kind of senseless and error
prone to change it every ninety days in accordance with the
rest of our policy if it hasn't been used in 90 days.

QSYSOPR hasn't been used since August 2000. Do any of you use
the QSYSOPR profile? I'm thinking the administrator (that'd
be me) should start using it as a day to day profile just for
tracking purposes.

Bryan Burns
iSeries Specialist
ECHO, Incorporated
Lake Zurich, Illinois

--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change
list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting,
please take a moment to review the archives at
http://archive.midrange.com/midrange-l.