Troubleshooting
Problem
This documents the steps to take when moving to security level 30 from a lower level.
Resolving The Problem
In addition to the security provided at Level 20, Level 30 provides the following security functions:
|
o |
Users must be specifically given authority to use resources on the system. |
| o | Only user profiles created with the *SECOFR security class are given *ALLOBJ special authority automatically. |
When you change to security level 30 from a lower security level, the system changes all user profiles the next time you perform an IPL. Special authorities are added to and removed from user profiles to match the default special authorities for the user class. For example, *ALLOBJ special authority is removed from all user profiles except those with a user class of *SECOFR.
If the system has been running applications at a lower security level, set up and test resource security before changing to security Level 30. Following is a recommended list of tests:
If the system has been running applications at a lower security level, set up and test resource security before changing to security Level 30. Following is a recommended list of tests:
| o | For each application, set the appropriate authorities for application objects. |
| o | Test each application using actual user profiles or special test user profiles: -- Remove *ALLOBJ special authority from the user profiles used for testing. -- Grant appropriate application authorities to the user profiles. -- Run the application using the user profiles. -- Check for authority failures (error messages or by using the security audit journal). |
| o | When all applications run successfully with test profiles, grant the appropriate authorities for application objects to all production user profiles. |
| o | If the QLMTSECOFR (limit security officer) system value is 1 (Yes), users with *ALLOBJ or *SERVICE special authority must be specifically authorized to devices at security Level 30 or higher. Give these users *CHANGE authority to selected devices, give QSECOFR *CHANGE authority to the devices, or change the QLMTSECOFR system value to 0. |
| o | Change the security level on your system and perform an initial program load (IPL). |
Further information can be found in Chapter 2 of the Security Reference Manual
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Historical Number
4300943
Was this topic helpful?
Document Information
Modified date:
08 October 2024
UID
nas8N1014711