Find information about how to lock and unlock system values. Only some system values can be locked. This will provide you with a description of the lock function, what system values can be locked, and how to lock and unlock them.
Most security system values can be altered only by a user with Security administrator (*SECADM) and All object (*ALLOBJ) special authorities. To prevent even these users from changing these system values during normal operation, system service tools (SST) and dedicated service tools (DST) provide an option to lock these security values.
The default value is Yes; therefore, users can change security-related system values.
The following table identifies the system values that are affected by this option (Both the iSeries™ Navigator name and the character-based name are specified.):
| Lockable system values | |
|---|---|
| Auditing system values | |
| Activate action auditing | QAUDLVL |
| Activate object auditing | QAUDCTL |
| Audit journal error action | QAUDENACN |
| Default auditing for newly created objects | QCRTOBJAUD |
| Maximum number of journal entries in auxiliary storage | QAUDFRCLVL |
| Device system values | |
| Local controllers and devices | QAUTOCFG |
| Pass-through devices and Telnet | QAUTOVRT |
| Action to take when a device error occurs | QDEVRCYACN |
| Remote controllers and devices | QAUTORMT |
| Jobs system values | |
| Allow jobs to be interrupted | QALWJOBITP |
| Time-out interval | QDSCJOBITV |
| When job reaches time-out | QINACTMSGQ |
| Password system values | |
| Password expiration | QPWDEXPITV |
| Restrict consecutive digits | QPWDLMTAJC |
| Restricted characters | QPWDLMTCHR |
| Restrict repeating characters | QPWDLMTREP |
| Password level | QPWDLVL |
| Maximum password length | QPWDMAXLEN |
| Minimum password length | QPWDMINLEN |
| Require a new character in each position | QPWDPOSDIF |
| Require at least one digit | QPWDRQDDGT |
| Password reuse cycle | QPWDRQDDIF |
| Password validation program | QPWDVLDPGM |
| Messages and service system values | |
| Allow remote service of system | QRMTSRVATR |
| Save and restore system values | |
| Verify object signatures on restore | QVFYOBJRST |
| Convert objects during restore | QFRCCVNRST |
| Allow restore of security sensitive objects | QALWOBJRST |
| Security system values | |
| Security level | QSECURITY |
| Allow server security information to be retained | QRETSVRSEC |
| Users who can work with programs with adopted authority | QUSEADPAUT |
| Default authority for newly created objects in QSYS.LIB file system | QCRTAUT |
| Allow use of shared or mapped memory with write capability | QSHRMEMCTL |
| Allow these objects in . . . | QALWUSRDMN |
| Use registered exit programs to scan the root (/), QOpenSys, and user-defined file systems | QSCANFS |
| Scan control | QSCANFSCTL |
| Signon system values | |
| Remote signon | QRMTSIGN |
| Display signon information | QDSPSGNINF |
| Restrict privileged users to specific device session | QLMTSECOFR |
| Limit each user to one device session | QLMTDEVSSN |
| Incorrect signon attempts | QMAXSIGN |
| When maximum is reached | QMAXSGNACN |
If you specify No for Allow security-related system values changes, users cannot change security-related system values. If you need to change a security-related system value, the Allow security-related system values changes parameter must be changed to Yes in SST.
If you specify Yes for Allow security-related system values changes, users with the required authorities can change security-related system values. Even though the security-related system values are unlocked, you still need Security administrator (*SECADM) and All object (*ALLOBJ) special authorities to change them. If you do not want to allow users to change a security-related system value, the Allow security-related system values changes parameter must be changed to No in SST.