Security level system value

This system value allows you to set the security level for the system.

The system offers five different levels of security. Each of these levels of security provide specific security controls for the system. Depending on the decisions you made in the security policy, you can select a security level that you need. IBM® ships all new systems with the security level 40, which provides a high level of security that is necessary for most installations. It is not recommended that you change your security level on a new system lower that this value.

Even though IBM recommends you keep systems at level 40, lower values are described to provide a function-by-function comparison between each security level.

Table 1. Possible values for the security level system value. This table compares the different settings and the functions that the security level allows.
Security level iSeries™ Navigator description Functions allowed Functions not allowed
10 (no security) 1 No passwords are needed and users have authority to all resources Provide users with *ALLOBJ access to all objects. NA
20 (low or relaxed security) Passwords are required and users have authority to all resources
  • Provides users with *ALLOBJ access to all objects.
  • User name required to sign on.
  • Password required to sign on.
  • Password security active.
  • Menu and initial program security active.
  • Security auditing capabilities available.
  • Programs that contain restricted instructions cannot be created or recompiled.
  • *USRSPC, *USRIDX, and *USRQ objects can be created only in libraries specified in the QALWUSRDMN system value.
  • Resource security active.
  • User profile created automatically.
  • Programs that use unsupported interfaces fail at run time.
  • Enhanced hardware storage protection supported.
  • Pointers used in parameters are validated for user domain programs running in system state.
  • Message handling rules are enforced between system and user state programs.
  • A program’s associated space cannot be directly modified.
  • Internal control blocks are protected.
30 (medium or average security) Passwords are required and users' access is based on their authority
  • User name required to sign on.
  • Password required to sign on.
  • Password security active.
  • Menu and initial program security active.
  • Security auditing capabilities available.
  • Programs that contain restricted instructions cannot be created or recompiled.
  • *USRSPC, *USRIDX, and *USRQ objects can be created only in libraries specified in the QALWUSRDMN system value.
  • Allow access to all objects.
  • Resource security active.
  • User profile created automatically.
  • Programs that use unsupported interfaces fail at run time.
  • Enhanced hardware storage protection supported.
  • Pointers used in parameters are validated for user domain programs running in system state.
  • Message handling rules are enforced between system and user state programs.
  • A program’s associated space cannot be directly modified.
  • Internal control blocks are protected.
40 (high or strict security) 2 Protect from undocumented system interfaces
  • User name required to sign on.
  • Password required to sign on.
  • Password security active.
  • Menu and initial program security active.
  • Security auditing capabilities available.
  • Programs that contain restricted instructions cannot be created or recompiled.
  • *USRSPC, *USRIDX, and *USRQ objects can be created only in libraries specified in the QALWUSRDMN system value.
  • Pointers used in parameters are validated for user domain.
  • A program’s associated space cannot be directly modified.
  • Internal control blocks are protected.
  • Allow access to all objects.
  • User profile created automatically.
  • Message handling rules are enforced between system and user state programs.
50 (high or strict security) 3 Enhance protection of system interfaces
  • User name required to sign on.
  • Password required to sign on.
  • Password security active.
  • Menu and initial program security active.
  • Security auditing capabilities available.
  • Programs that contain restricted instructions cannot be created or recompiled.
  • *USRSPC, *USRIDX, and *USRQ objects can be created only in libraries specified in the QALWUSRDMN system value.
  • Pointers used in parameters are validated for user domain.
  • A program’s associated space cannot be directly modified.
  • Internal control blocks are protected.
  • Allow access to all objects.
  • User profile created automatically.
  1. Security level 10 is no longer supported. If you change from security level 10 to 20, 30, 40 or 50, you will not be able to change it back to level 10.
  2. IBM ships all new systems with a security level of 40. IBM strongly recommends that you leave the security level set to 40.
  3. At security level 50, no system internal control blocks can be modified. In comparison some system internal control blocks can be modified at security level 40.

Relationship to your security policy

In your security policy, you try to maintain a balance between protecting your assets, user access, and system performance. If the system contains highly confidential material or information that would seriously compromise your business if it was lost or stolen, that system would require a higher security level than a system that contains less sensitive information. In addition, you may have a system that is connected to an insecure network, such as the Internet and could be potentially targeted for an attack. These systems also need a higher security level to protect them.
Note: Security level alone does not protect systems connected to insecure networks from attack. If you are planning to connect to the Internet or any other insecure network, you need analyze the risks not only to your system but also your entire network.
Table 2. Quick reference. Provides details for the security level system value.
iSeries Navigator name Security level
Character-based interface name QSECURITY
Authority

All object (*ALLOBJ)
Security administrator (*SECADM)

Note: The Security Officer (QSECOFR) user profile is shipped with these authorities.
How to access
iSeries Navigator
  1. Expand Security > Policies.
  2. Right click Security Policy and select Properties.
  3. On the General page, you will find the options for security level.
Character-based interface
  1. In the character-based interface, type WRKSYSVAL QSECURITY.
Changes take effect At next restart of the server
Default value 40 (Protect from undocumented system interfaces)
Recommended values 40 (Protect from undocumented system interfaces)
Lockable Yes
Special considerations If you change from security level 10 to 20, 30, 40 or 50, you will not be able to change back to level 10.

For more detailed information about this security value, see Chapter 3, "Security System Values" in Security Reference.

Parent topic: General security system values