Question & Answer
Question
What are the minimum requirements for the i-STAP START_USER?
Cause
Starting the IBM i guardium agent (call sysaudit_start_batch('')) requires that the i-STAP START_USER has *JOBCTL, *SECADM and *ALLOBJ special authorities.
Answer
The START_USER is the user profile that will run the guardium audit job. It is set in the QSYS2.SYSAUDIT configuration table.
The START_USER is required to have *JOBCTL *SECADM and *ALLOBJ special authorities.
As a good practice, the user profile password can be set to *NONE.
The following SQL statement ran from STRSQL or IBM ACS Run SQL Scripts, returns the START_USER value.
SELECT START_USER from QSYS2.SYSAUDIT
For example: START_USER = 'GDUSER'
DSPUSRPRF for the START_USER value must show:
User Profile . . . . . . . . . . . . . . . : GDUSER
User class . . . . . . . . . . . . . . . . : *USER
Special authority . . . . . . . . . .: *JOBCTL
*ALLOBJ
User class . . . . . . . . . . . . . . . . : *USER
Special authority . . . . . . . . . .: *JOBCTL
*ALLOBJ
*SECADM
If any of the special authorities are not set, the following command can be run to set the authority:
CHGUSRPRF USRPRF(GDUSER) PASSWORD() SPCAUT(*JOBCTL *ALLOBJ *SECADM)
Note: Make sure that the START_USER is not 'QSECOFR'. Otherwise, you will get the following error message when you try to start IBM i guardium agent in batch mode:
CPD1617 "Value specified for USER parameter not correct".
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]
Was this topic helpful?
Document Information
Modified date:
20 August 2025
UID
ibm11284904