ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvqlmtsecofr.htm

133 lines
7.5 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Limit security officer" />
<meta name="abstract" content="You may want to restrict users with authority to change security and control objects to certain workstations." />
<meta name="description" content="You may want to restrict users with authority to change security and control objects to certain workstations." />
<meta name="DC.Relation" scheme="URI" content="rzamvplansyslvlsec.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="qlmtsecofr" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Limit security officer</title>
</head>
<body id="qlmtsecofr"><a name="qlmtsecofr"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Limit security officer</h1>
<div><p>You may want to restrict users with authority to change security
and control objects to certain workstations.</p>
<p>This prevents these users from signing on to workstations in remote locations
without your knowledge. The limit security officer system value controls whether
a user with all-object (*ALLOBJ) or service (*SERVICE) special authority can
sign on to any workstation. Limiting powerful user profiles to certain well-controlled
workstations provides security protection. This system value restricts the
security officer, users with authority over all the objects on the system,
and service personnel to the console. To give these users access to other
devices, you can use the (GRTOBJAUT) command.</p>
<p>See <a href="#qlmtsecofr__quickref">Quick reference</a> table
for an overview of the limit security officer system value.</p>
<div class="p">
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. Possible values for the limit security officer
system value</caption><thead align="left"><tr valign="bottom"><th valign="bottom" id="d0e29">iSeries™ Navigator </th>
<th valign="bottom" id="d0e33">Character-based interface</th>
<th valign="bottom" id="d0e35">Description</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e29 ">Deselected</td>
<td valign="top" headers="d0e33 ">0 (No)</td>
<td valign="top" headers="d0e35 ">Users with *ALLOBJ or *SERVICE special authority can
sign on at any display station for which they have change (*CHANGE) authority.
They can receive *CHANGE authority through private or public authority or
because they have *ALLOBJ special authority.</td>
</tr>
<tr><td valign="top" headers="d0e29 ">Selected</td>
<td valign="top" headers="d0e33 ">1 (Yes)</td>
<td valign="top" headers="d0e35 ">A user with *ALLOBJ or *SERVICE special authority can
sign on at a display station only if that user is specifically authorized
(that is, given *CHANGE authority) to the display station or if user profile
QSECOFR is authorized (given *CHANGE authority) to the display station. This
authority can not come from public authority.</td>
</tr>
</tbody>
</table>
</div>
</div>
<p><span class="uicontrol">Relationship to security policy</span></p>
<p>Limiting the workstation access that users with *ALLOBJ and *SERVICE special
authorities allows you to monitor the activities that these users perform.
You can monitor their access on these devises and react to any suspicious
activity quickly. You security policy should document which devices will be
used by these users. </p>
<div class="p">
<div class="tablenoborder"><a name="qlmtsecofr__quickref"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="qlmtsecofr__quickref" frame="border" border="1" rules="all"><caption>Table 2. Quick Reference. Provides
details for the limit security officer system value.</caption><thead align="left"><tr valign="bottom"><th valign="bottom" id="d0e70">iSeries Navigator name</th>
<th valign="bottom" id="d0e74">Restrict privileged users to specific devices</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e70 ">Character-based interface name</td>
<td valign="top" headers="d0e74 ">QLMTSECOFR</td>
</tr>
<tr><td valign="top" headers="d0e70 ">Authority</td>
<td valign="top" headers="d0e74 "><p>All object access (*ALLOBJ)<br />
Security administrator (*SECADM)</p>
<div class="note"><span class="notetitle">Note:</span> The Security Officer (QSECOFR)
user profile is shipped with these authorities. </div>
</td>
</tr>
<tr><td valign="top" headers="d0e70 ">How to access</td>
<td valign="top" headers="d0e74 "><div class="p"><strong>iSeries Navigator</strong><ol><li>Expand <span class="menucascade"><span class="uicontrol">Security</span> &gt; <span class="uicontrol">Policies</span></span>.</li>
<li>Right click <span class="uicontrol">Signon Policy</span> and select <span class="uicontrol">Properties</span>.</li>
<li>On the <span class="uicontrol">General</span> page, you will find the option for
limiting privileged users.</li>
</ol>
</div>
<div class="p"><span class="uicontrol">Character-based interface</span><ol><li>In the character-based interface, type <samp class="codeph">WRKSYSVAL QLMTSECOFR</samp>.</li>
</ol>
</div>
</td>
</tr>
<tr><td valign="top" headers="d0e70 ">Changes take effect</td>
<td valign="top" headers="d0e74 ">Immediately</td>
</tr>
<tr><td valign="top" headers="d0e70 ">Default value</td>
<td valign="top" headers="d0e74 ">Deselected</td>
</tr>
<tr><td valign="top" headers="d0e70 ">Recommended value</td>
<td valign="top" headers="d0e74 ">Always display signon</td>
</tr>
<tr><td valign="top" headers="d0e70 "><a href="rzamvlockdown.htm">Lockable</a></td>
<td valign="top" headers="d0e74 ">Yes</td>
</tr>
<tr><td valign="top" headers="d0e70 ">Special considerations </td>
<td valign="top" headers="d0e74 "> In order for the limit security officer system value
to work, your system security level needs to be 30 or higher.</td>
</tr>
</tbody>
</table>
</div>
</div>
<p>For more detailed information about this security value, see Chapter 3, <span class="q">"Security
System Values"</span> in <a href="../books/sc415302.pdf" target="_blank">Security
Reference</a>. </p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplansyslvlsec.htm" title="System security entails controlling user access and their privileges, maintaining information integrity, monitoring processes and access, auditing system functions, and providing backup and recovery of security related information.">Plan system security</a></div>
</div>
</div>
</body>
</html>