friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamh_5.4.0.1/rzamhwhatuserids.htm

133 lines
8.9 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Service tools user IDs" />
<meta name="abstract" content="Service tools user IDs are user IDs that are required to access service functions through dedicated service tools (DST), system service tools (SST), iSeries Navigator (for logical partitions and disk unit management), and Operations Console. Service tools user IDs are created through DST or SST and are separate from user profiles." />
<meta name="description" content="Service tools user IDs are user IDs that are required to access service functions through dedicated service tools (DST), system service tools (SST), iSeries Navigator (for logical partitions and disk unit management), and Operations Console. Service tools user IDs are created through DST or SST and are separate from user profiles." />
<meta name="DC.Relation" scheme="URI" content="rzamhstconcepts.htm" />
<meta name="DC.Relation" scheme="URI" content="../books/sc415300.pdf" />
<meta name="DC.Relation" scheme="URI" content="../rzajr/rzajropconoverview.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzajr/rzajrsecurity.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamhpwpolicies.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamhmonitor.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamhaccess.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2003, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2003, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzamhwhatuserids" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Service tools user IDs</title>
</head>
<body id="rzamhwhatuserids"><a name="rzamhwhatuserids"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Service tools user IDs</h1>
<div><p><em>Service tools user IDs</em> are user IDs that are required to
access service functions through dedicated service tools (DST), system service
tools (SST), iSeries™ Navigator
(for logical partitions and disk unit management), and Operations Console.
Service tools user IDs are created through DST or SST and are separate from
user profiles.</p>
<div class="section"><p>IBM<sup>®</sup> provides
the following service tools user IDs:</p>
</div>
<div class="section"> <ul><li>QSECOFR</li>
<li>QSRV</li>
<li>22222222</li>
<li>11111111</li>
</ul>
</div>
<div class="section"><p>The passwords for service tools user IDs QSECOFR, QSRV, and 22222222
are shipped as expired. All service tools passwords are shipped in uppercase.</p>
</div>
<div class="section"><p><img src="./delta.gif" alt="Start of change" />You can create a maximum of 100 service tools
user IDs (including the four IBM-supplied user IDs). Specific authorities
are granted to the IBM-provided service tools user IDs. The IBM-supplied service
tools user ID 11111111 is useful when upgrading Operations Console.<img src="./deltaend.gif" alt="End of change" /></p>
</div>
<div class="section"><div class="note"><span class="notetitle">Note:</span> When IBM ships a server, there is a QSECOFR <span class="keyword">i5/OS™</span> user
profile and a QSECOFR service tools user ID. These are not the same. They
exist in different locations and are used to access different functions. Your
QSECOFR service tools user ID can have a different password from your QSECOFR
user profile. Service tools user IDs have different password policies than <span class="keyword">i5/OS</span> user profiles.</div>
</div>
<div class="section"><p>Creating additional service tools user IDs allows a security administrator
to manage and audit the use of service tools without giving out the passwords
to the IBM-supplied service tools user IDs. You can create additional service
tools user IDs using dedicated service tools (DST) or system service tools
(SST).</p>
</div>
<div class="section"><div class="attention"><span class="attentiontitle">Attention:</span> If you lose or forget the passwords for all <span class="keyword">i5/OS</span> security officer profiles
and all security service tools user IDs, you might need to install and initialize
your system from distribution media to recover them. For this reason, it is
recommended that you create multiple profiles and user IDs. Contact your service
provider for assistance.</div>
</div>
<div class="section"><p>Service tools user IDs can have expiration dates, which allow
you to minimize your server's security risk. For example, you can create a
service tools user ID that is expired for an employee. The first time the
employee uses the ID, the employee must change the ID. You can disable the
user ID if a user terminates employment with the company, minimizing a former
employee's potential to maliciously access service tools.</p>
</div>
<div class="section" id="rzamhwhatuserids__funpriv"><a name="rzamhwhatuserids__funpriv"><!-- --></a><h4 class="sectiontitle">Functional privileges for service tools user
IDs</h4><p>The ability for a service tools user ID to access individual
service functions can be granted or revoked. This is called a <dfn class="term">functional
privilege</dfn>. You can set up functional privileges that control which
service functions can be accessed by any service tools user ID. Here are some
examples of how you might want to use functional privileges:</p>
</div>
<div class="section"> <ul><li>You can allow one user to take communications and Licensed Internal Code
traces and give a different user the functional privilege to manage disk units.</li>
<li>You can create a service tools user ID with the same functional privileges
as the IBM-supplied QSECOFR service tools user ID. You can then disable the
IBM-supplied QSECOFR service tools user ID. This will prevent people from
using the known QSECOFR user ID and help protect your server from security
risks.</li>
</ul>
</div>
<div class="section"><p>Functional privileges can be managed using DST or SST. A Start
Service Tools privilege allows a service tools user ID to access DST, but
be restricted from accessing SST.</p>
</div>
<div class="section"><p>Before a user is allowed to use or perform a service function,
a functional privilege check is performed. If a user has insufficient privileges,
access to the service function is denied. There is an audit log to monitor
service function use by service tools users.</p>
</div>
<div class="section"><p>Like service tools user IDs, device IDs also have permissions
that can be granted or revoked and can prevent functions from working. Device
IDs can be accessed using SST.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamhstconcepts.htm" title="These concepts provide the basic information you need to get started with service tools user IDs and passwords.">Concepts for service tools user IDs and passwords</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzamhmonitor.htm" title="You can monitor the use of service functions through DST, and you can monitor service tools use through the security audit log. These logs can help you trace unusual access patterns or other potential security risks.">Monitor service function use</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="rzamhpwpolicies.htm" title="This topic describes the password policies for service tools user IDs and the process of changing Data Encryption Standard (DES) and Secure Hash Algorithm (SHA) encryption.">Password policies for service tools user IDs</a></div>
<div><a href="rzamhaccess.htm" title="You can access service tools using DST, SST, and iSeries Navigator.">Access service tools</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../books/sc415300.pdf" target="_blank">Tips and tools for securing your iSeries</a></div>
<div><a href="../rzajr/rzajropconoverview.htm">Operations console</a></div>
<div><a href="../rzajr/rzajrsecurity.htm">Secure your Operations Console configuration</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink