After reading Establishing user accountability in AS400, the iSeries security expert response from Carol Woodbury, one reader sent us this comment to round out her answer. Thanks, Tom!
Especially with QSECOFR, it’s difficult to guarantee full accountability. Whatever QSECOFR can put in place, QSECOFR can remove. There are potential items that can help though.
For interactive work, for example, a routing program might intercept the job and prompt for an individual’s identification. This might consist of a user/password prompt that could be tested against actual user/password via perhaps the Get Profile Handle (QSYGETPH) API, followed by Release Profile Handle (QSYRLSPH) API if successful.
The routing program might continue by setting job logging levels or various audit attributes before transferring control to QSYS/QCMD (or your own request-processing program). Before transferring control, it might send scope messages to ensure that end-of-job logging also occurred or set condition handlers for similar purposes.
None of that *guarantees* anything. But it can help when an auditor asks what’s been done.