Another reader recently chimed-in on Establishing user accountability in AS400, an expert iSeries security response from Carol Woodbury. Thanks to “KrillDog” for the info!
In terms of SOX regulations and their recommended “best practices” efforts on segregation of duties, the iSeries Security Administrator position (if established) should manage the QSECOFR password. If the actual QSECOFR profile is required by a System Administrator, say for a system upgrade, an actual request is filled out with the reason for required QSECOFR access and submitted to the SecAdmin for approval and account activation. This provides evidence of an actual request from an approved user and then the audit journal records can be processed and attached to the request (on-line or hard-copy). This is the process I had to establish to prevent random access with the QSECOFR profile.