|
midrange.com
>Tom wrote:
> In setting up a new 9406-270, I find that the QSECOFR (or any other secofr
> profile) can only log in to the system console. I've checked system value
> QLMTSECOFR and it's set to '0'. What else should I be looking at in order
> to allow secofr profiles to log in at other than the system console?
Andy noted the QLMTSECOFR system value.
</From the help text>
QLMTSECOFR
Limit security officer device access. This system value controls
whether users with *ALLOBJ or *SERVICE special authorities need
explicit authority to specific work stations.
A change to this system value takes effect immediately. The shipped
value is 1.
Limit authority
0 Users with *ALLOBJ or *SERVICE special authorities can
sign-on any device.
1 Users with *ALLOBJ or *SERVICE special authorities can
sign-on only at a device to which they have explicit
authority.
</From the help text>
IBM does this for security reasons...If QLMTSECOFR is set to '1', then in
order for QSECOFR to logon to any device other than the console device, you
must first grant QSECOFR *CHANGE or higher authority to that device.
Example:
GRTOBJAUT OBJ(QSYS/DSP02) OBJTYPE(*DEVD) USER(QSECOFR) AUT(*CHANGE)
will give QSECOFR the authority to use DSP02.
Be _very_ careful about which devices you explicity authorize QSECOFR to
use. For security reasons, it is best to keep these devices either in the
computer room or in a room which can be locked when not occupied.
Hope this helps,
Steve Landess
Austin, Texas
(512) 423-0935
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
