Only the security officer (or a program adopting his authority) or a user with *ALLOBJ and *SECADM authority can change the Journal accounting information (QACGLVL) system value.
The change takes effect when a new job enters the system. This restriction ensures that if job accounting is in effect and the security officer performs a system IPL, an accounting entry is written for the security officer's job.
You can assign job accounting codes only if you have the authority to use the Create User Profile (CRTUSRPRF), Change User Profile (CHGUSRPRF) or Change Accounting Code (CHGACGCDE) command. This restricts the use of accounting codes and provides a basis for validity checking any changes.
Only a user with the *SECADM special authority is allowed to use the CRTUSRPRF and CHGUSRPRF commands. However, the security officer can delegate this authority by creating a CL program, which allows another user to adopt the security officer's profile and change the ACGCDE parameter in the user profile. The individual could then have authority to one or more CL programs.
The ACGCDE parameter also exists in job description objects, but you must have the authority to use the CHGACGCDE command to enter a value other than the default of *USRPRF. CHGACGCDE is shipped with PUBLIC authority of *USE.
You can provide additional security by using the CHGACGCDE command in a CL program, which adopts the program owner's authority. This allows the user who is running an external function to perform a security-sensitive function without having direct authorization to the CHGACGCDE command.
The accounting journal and its receivers are treated as any other journal objects from a security viewpoint. You must decide what authorization should exist for the accounting journal and journal receiver.