Commands and menus for security commands

The SECTOOLS (Security Tools) menu, the SECBATCH (Submit or Schedule Security Reports to Batch) menu, the Configure System Security (CFGSYSSEC) and Revoke Public Authority (RVKPUBAUT) commands are four security tools you can use to configure your system security.

Two menus are available for security tools:
  • The SECTOOLS (Security Tools) menu to run commands interactively.
  • The SECBATCH (Submit or Schedule Security Reports to Batch) menu to run the report commands in batch. The SECBATCH menu has two parts. The first part of the menu uses the Submit Job (SBMJOB) command to submit reports for immediate processing in batch.

    The second part of the menu uses the Add Job Schedule Entry (ADDJOBSCDE) command. You use it to schedule security reports to be run regularly at a specified day and time.

Security settings and requirements for security tool objects:

  • Many of the security tool commands create files in the QUSRSYS library. When the system creates these files, the public authority for the files is *EXCLUDE. Files that contain information for producing changed reports have names that begin with QSEC. Files that contain information for managing user profiles have names that begin with QASEC. These files contain confidential information about your system. Therefore, you should not change the public authority to the files.
  • The security tools use your normal system setup for directing printed output. These reports contain confidential information about your system. To direct the output to a protected output queue, make appropriate changes to the user profile or job description for users who will be running the security tools.
  • Because of their security functions and because they access many objects on the system, the security tool commands require *ALLOBJ special authority. Some of the commands also require *SECADM, *AUDIT, or *IOSYSCFG special authority. To ensure that the commands run successfully, you should sign on as a security officer when you use the security tools. Therefore, you should not need to grant private authority to any security tool commands.

Avoid file conflicts

Many of the security tool report commands create a database file that you can use to print a changed version of the report. You can only run a command from one job at a time. If you run a command when another job has not yet finished running it, you will receive an error message.

Many print jobs take a long time to complete. You need to be careful to avoid file conflicts when you submit reports to batch or add them to the job scheduler. For example, you might want to print two versions of the PRTUSRPRF report with different selection criteria. If you are submitting reports to batch, you should use a job queue that runs only one job at a time to ensure that the report jobs run sequentially.

If you are using the job scheduler, you need to schedule the two jobs far enough apart that the first version completes before the second job starts.