Service tools user IDs

Service tools user IDs are user IDs that are required for accessing service functions through dedicated service tools (DST), system service tools (SST), IBM® Navigator for i (for disk unit management), and Operations Console.

Service tools user IDs are created through DST or SST and are separate from IBM i user profiles. IBM provides the following service tools user IDs:

QSECOFR
QSRV
22222222
11111111

All service tools passwords are shipped in uppercase.

The passwords for service tools user IDs QSECOFR, QSRV, 22222222, Start of change and 11111111 End of change are shipped as expired.

Start of change The profiles for QSRV and 22222222 are shipped as disabled, they need to be enabled by QSECOFR before they can be used. End of change

Start of change The profile for service tools user ID 11111111 has all it's privileges removed. The ID can only be used to start an Operations Console. End of change

You can create a maximum of 100 service tools user IDs (including the four IBM-supplied user IDs). Specific authorities are granted to the IBM-provided service tools user IDs. The IBM-supplied service tools user ID 11111111 is useful when upgrading Operations Console.

Note: A QSECOFR user profile and a QSECOFR service tools user ID are provided with every system. The QSECOFR user profile and the QSECOFR service tools user ID are not the same. They exist in different locations and are used to access different functions. Your QSECOFR service tools user ID can have a different password from your QSECOFR user profile. Service tools user IDs have different password policies from user profiles.

Creating additional service tools user IDs allows a security administrator to manage and audit the use of service tools without giving out the passwords to the IBM-supplied service tools user IDs. You can create additional service tools user IDs using dedicated service tools (DST) or system service tools (SST).

Attention: If you lose or forget the passwords for all security officer profiles and all security service tools user IDs, you might need to install and initialize your system from distribution media to recover them. For this reason, it is suggested that you create multiple profiles and user IDs. Contact your service provider for assistance.

The passwords for service tools user IDs can have expiration dates, which allow you to minimize the security risk to your system. When users sign on with an expired password, they must change the password. A service tools user ID can be disabled, in which case it cannot be used at all until someone with the appropriate authority level re-enables it.

Functional privileges for service tools user IDs

Functional privileges control which service functions can be accessed by any service tools user ID. You can set up functional privileges to grant or revoke the ability for a service tools user ID to access individual service functions. These examples show how you might want to use functional privileges.

You can allow one user to take communications and Licensed Internal Code traces and give a different user the functional privilege to manage disk units.
You can create a service tools user ID with the same functional privileges as the IBM-supplied QSECOFR service tools user ID. You can then disable the IBM-supplied QSECOFR service tools user ID. This prevents people from using the known QSECOFR user ID and helps protect your system from security risks.

You can manage the functional privileges through DST or SST. When set to revoked, the Start Service Tools privilege allows a service tools user ID to access service functions through DST, but restricts the user ID from accessing SST.

Before a user is allowed to use or perform a service function, a functional privilege check is performed. If a user has insufficient privileges, access to the service function is denied. There is an audit log to monitor service function use by service tools users.