RE: Can We retire the QSECOFR userid?

I'd agree.   One problem with having multiple QSECOFR profiles is that one
of those with *SECOFR rights can simply go into the real QSECOFR profile and
change the password in the "real" profile.   If you never use that profile,
how would you know that somebody has re-opened the door that you think is
closed?  Granted, you can monitor QHST and come up with all kinds of
warnings, but that just begs the question:  why go through the trouble when
you can keep all of the access underneath one profile and monitor that
profile?    
Worse yet, each of the QSECOFR copies can maintain their own password as
well, by-passing any rules your company may have put in place.  Now you have
to wonder if one of the copies has created a totally inappropriate password
(easily guessed, same as something else the user has, whatever......). 
Between limiting security officer device access (QLMTSECOFR) and limiting
all profiles to three login attempts before lockout, I don't have much fear.
  It is darn unlikely that anybody will guess this month's password in three
tries.   If I find QSECOFR locked out from everything but the console, I
will know exactly what happened and am in a position to take care of it.   
> message: 1
> date: Mon, 9 Feb 2004 16:49:34 -0500 
> from: rob@xxxxxxxxx 
> subject: RE: Can We retire the QSECOFR userid? 
> 
> Does anyone really see a difference between having the generic QSECOFR or

> a generic MYSECOFR with the same authorities?  Granted, there are some  
> very limited applications where you must be QSECOFR, (ptf's ain't one of  
> them).  But does creating the MYSECOFR give you any additional security?  
> None that I can think of.  Oh, I suppose you could disable QSECOFR and 
> then a hack trying it would have a bear of a time getting in.  But, other

> than that?  If so, why bother? 
>