× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2008

Re: How do you manage your QSECOFR profile and other Q profiles?

Bryan

I'm inclined NOT to use either QSECOFR or QSYSOPR for daily stuff. For one thing, you get object ownership that can overflow the limits for user profiles. For another, you don't really know WHO did WHAT to your machine.

Now QSYSOPR could be a group profile, maybe - not QSECOFR - I forget if it even can be a group profile!!

So save QSECOFR for support personnel from IBM or if explicitly called for. Verify with any vendor whether you actually have to use it, or just a user with *SECOFR class.

By the way, there are actually 2 QSECOFR profiles - one is the regular user, the other is the service tools user - you get to that through DST or even SST on more recent releases, I think. Here, again, I advise never using it, except for service personnel - then change it immediately after use. Create profiles for each of you, first, so that you don't disable QSECOFR, and, second, for auditing purposes.

BTW, you can get around the restriction on repeating a password in the last 32, by changing it in the options in DST or SST. If you DO disable a service tools profile by entering the wrong password, you have to use a new one. Same kind of thing that if you use CHGPWD you can't repeat within a certain number of passwords. Using CHGUSRPRF, you get around that rule.

HTH
Vern
-------------- Original message --------------
From: "Burns, Bryan" <Bryan_Burns@xxxxxxxxxxxx>

We have a small shop and the five of us - two developers, an administrator, a
manager and a VP - all have powerful enough profiles that we rarely need to sign
on as QSECOFR or any other Q profile.

Because of the powerful profiles we have, we don't really have a policy on usage
of the QSECOFR profile but I need to write a policy and manage the QSECOFR
profile properly. What's the best practice here? Should just one person know
it and keep it a record of it in the safe, so if he's not here, someone can at
least get at it?

What about changing it? It seems kind of senseless and error prone to change it
every ninety days in accordance with the rest of our policy if it hasn't been
used in 90 days.

QSYSOPR hasn't been used since August 2000. Do any of you use the QSYSOPR
profile? I'm thinking the administrator (that'd be me) should start using it as
a day to day profile just for tracking purposes.


Bryan Burns
iSeries Specialist
ECHO, Incorporated
Lake Zurich, Illinois

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.