Limit security officer

You may want to restrict users with authority to change security and control objects to certain workstations.

This prevents these users from signing on to workstations in remote locations without your knowledge. The limit security officer system value controls whether a user with all-object (*ALLOBJ) or service (*SERVICE) special authority can sign on to any workstation. Limiting powerful user profiles to certain well-controlled workstations provides security protection. This system value restricts the security officer, users with authority over all the objects on the system, and service personnel to the console. To give these users access to other devices, you can use the (GRTOBJAUT) command.

See Quick reference table for an overview of the limit security officer system value.

Table 1. Possible values for the limit security officer system value
iSeries™ Navigator Character-based interface Description
Deselected 0 (No) Users with *ALLOBJ or *SERVICE special authority can sign on at any display station for which they have change (*CHANGE) authority. They can receive *CHANGE authority through private or public authority or because they have *ALLOBJ special authority.
Selected 1 (Yes) A user with *ALLOBJ or *SERVICE special authority can sign on at a display station only if that user is specifically authorized (that is, given *CHANGE authority) to the display station or if user profile QSECOFR is authorized (given *CHANGE authority) to the display station. This authority can not come from public authority.

Relationship to security policy

Limiting the workstation access that users with *ALLOBJ and *SERVICE special authorities allows you to monitor the activities that these users perform. You can monitor their access on these devises and react to any suspicious activity quickly. You security policy should document which devices will be used by these users.

Table 2. Quick Reference. Provides details for the limit security officer system value.
iSeries Navigator name Restrict privileged users to specific devices
Character-based interface name QLMTSECOFR
Authority

All object access (*ALLOBJ)
Security administrator (*SECADM)

Note: The Security Officer (QSECOFR) user profile is shipped with these authorities.
How to access
iSeries Navigator
  1. Expand Security > Policies.
  2. Right click Signon Policy and select Properties.
  3. On the General page, you will find the option for limiting privileged users.
Character-based interface
  1. In the character-based interface, type WRKSYSVAL QLMTSECOFR.
Changes take effect Immediately
Default value Deselected
Recommended value Always display signon
Lockable Yes
Special considerations In order for the limit security officer system value to work, your system security level needs to be 30 or higher.

For more detailed information about this security value, see Chapter 3, "Security System Values" in Security Reference.

Parent topic: Plan system security