In order to add authority to a profile, your profile must already have that authority.
According to the IBM help screen:
Security administrator authority is given to the user.
The user can create, change, or delete user profiles
if authorized to the Create User Profile (CRTUSRPRF),
Change User Profile (CHGUSRPRF), or Delete User
Profile (DLTUSRPRF) commands and is authorized to the
user profile. <b>This authority does not allow giving
special authorities that this user profile does not
have.</b> To give *SECADM special authority to another
user, a user must have both *ALLOBJ and *SECADM
Note that the above is true in the context of the “effective” user profile (or current user) for a job. The effective and current users for a job can be changed during run-time.
A job user may call a program that <i>supplies</i> an effective user through the mechanism called “adopted authority”. This adopted authority remains in effect as long as the program remains in the call stack. (Other programs lower in the call stack may choose not to propagate adopted authority to lower levels though.)
Or a job user may call a program that changes the job’s current user to a more powerful profile. The current user of a job remains in effect until later calls revert the job back to the job user’s authority. (Typically, the programs that switch a new current user in and back out gain the capability through adopted authority.)
In short, a low-authority user may be granted the permission to CALL programs that temporarily supply needed authority.