Workstations
The system performs authority checking for a workstation when you sign on.
A device description contains information about a particular device or logical unit that is attached to the system. When you sign on the system, your workstation is attached to either a physical or virtual device description. To successfully sign on, you must have *CHANGE authority to the device description.
The QLMTSECOFR (limit security officer) system value controls whether users with *ALLOBJ or *SERVICE special authority must be specifically authorized to device descriptions.
Figure 1 shows the logic for determining whether a user is allowed to sign on at a device:
- *ALLOBJ special authority from the user profile, group profile, or supplemental group profiles.
- Private authority to the device description in the user profile, the group profile, or supplemental group profiles.
- Authority to an authorization list used to secure the device description.
- Authority to an authorization list used to secure the public authority.
Authority checking for the device description is done before any programs are in the call stack for the job; therefore, adopted authority does not apply.
Description of authority checking for workstations
The system determines the user's authority to the workstation. (See note 1) If the authority is less than *CHANGE, the sign-on fails. If the authority is *CHANGE or greater, the system checks if the security level on the system is 30 or higher. If it is not, then the user is allowed to sign-on.
If the security level is 30 or higher, the system checks if the user has *ALLOBJ or *SERVICE special authority. If the user does not have either of these special authorities, then sign-on is allowed.
If the user has either *ALLOBJ or *SERVICE special authorities, then the system checks if the QLMTSECOFR system value is set to 1. If it is not set to 1, then sign-on is allowed.
If the QLMTSECOFR system value is set to 1, then the system will test the user's authority to the workstation. If the user's authority is *CHANGE or higher, then sign-on is allowed. If the user's authority is less than *CHANGE, sign-on fails. If the user has no authority to the workstation, the system checks the user's group authority to the workstation.
If the user's group authority is *CHANGE or higher, then sign-on is allowed. If the user's group authority is less than *CHANGE, sign-on fails. If the user's group has no authority to the workstation, the system checks whether the user has *SERVICE but not *ALLOBJ special authority.
If the user has *SERVICE but not *ALLOBJ special authority, then sign-on fails. If the user has *ALLOBJ special authority, then the system checks if QSECOFR has *CHANGE or higher.
If QSECOFR does not have *CHANGE or higher, then sign-on fails. If QSECOFR has *CHANGE or higher, then sign-on is allowed.
The security officer (QSECOFR), service (QSRV), and basic service (QSRVBAS) user profiles are always allowed to sign on at the console. The QCONSOLE (console) system value is used to determine which device is the console. If the QSRV or QSRVBAS profile attempts to sign on at the console and does not have *CHANGE authority, the system grants *CHANGE authority to the profile and allows sign-on.