Comments on: QSECOFR Profile Creation

By: TomLiotta

TomLiotta — Thu, 06 Dec 2012 22:26:03 +0000

What is the difference between normal user profile and DST/SST profile…?

The difference is that a normal *USRPRF doesn’t work inside of DST/SST and a DST/SST profile does work; also, a DST/SST profile can’t do anything that a normal *USRPRF can do. They are different things completely..

Where and all we can use these DST/SST profiles..?

You can use them to enter DST/SST. Once inside of DST/SST, you can use them to do whatever you gave them privileges to do.

Tom

By: didinu

didinu — Thu, 06 Dec 2012 12:22:53 +0000

What is the difference between normal user profile and DST/SST profile…? Where and all we can use these DST/SST profiles..?

By: TomLiotta

TomLiotta — Wed, 05 Dec 2012 20:56:03 +0000

How we can check in which library…

All *USRPRF objects always exist in QSYS. It doesn’t matter who created them.

Who will be having the authority to change the DST/SST Qsecofr profile password..?

That depends on how you set it up. First, you can sign on to the system as QSECOFR and run the CHGDSTPWD *DEFAULT command. That will set the QSECOFR DST/SST password back to its default value. Second, any DST/SST profile that you grant authority to change DST/SST passwords can change DST/SST passwords.

Can we create similar *SECOFR DST/SST profile..?

Yes. For the first one, you can sign into DST/SST with the QSECOFR DST/SST profile. After you create the first one, you can sign into DST/SST with your new DST/SST profile to create extra ones.

From the SST menu, take option 8=’Work with service tools user IDs and Devices’. Then take option 1=’Service tools user IDs’.

Then use option 1=’Create’ to create new DST/SST profiles. Use option 7=’Change privileges’ to assign DST/SST privileges to your new DST/SST profiles.

You can select all privileges for your first DST/SST profile. That will give you a new high-authority DST/SST profile that you can use instead of QSECOFR. The new DST/SST profile can set privileges for any other DST/SST profiles that you create. Do not forget that these are not the same as normal *USRPRF user profiles. The names are not related to each other.

Tom

By: didinu

didinu — Wed, 05 Dec 2012 18:56:51 +0000

Tom, Who will be having the authority to change the DST/SST Qsecofr profile password..? Can we create similar *SECOFR DST/SST profile..?

By: MayurRastogi

MayurRastogi — Wed, 05 Dec 2012 12:33:07 +0000

Tom, this question is to you!How we can check in which library or SYSVAL these UserClass are created by IBM ?

By: TomLiotta

TomLiotta — Wed, 05 Dec 2012 12:24:21 +0000

Will there be any difference between the ordinary QSECOFR profile and QSECOFR DST/SST profile. …?

Everything is different except the names. They do completely different things. They should have different passwords.

Both the Qsecofr will be configured by IBM…?

Both are created and initially configured by IBM. I haven’t tried to delete the QSECOFR DST/SST profile, so I don’t know if it can be deleted and recreated. I don’t want to try.

Tom

By: didinu

didinu — Wed, 05 Dec 2012 11:31:34 +0000

Will there be any difference between the ordinary QSECOFR profile and QSECOFR DST/SST profile. …? Both the Qsecofr will be configured by IBM…?

By: TomLiotta

TomLiotta — Tue, 04 Dec 2012 12:44:41 +0000

A DST/SST profile is not the same as a user profile. You can’t create a QSECOFR DST/SST profile. You create a DST/SST profile by signing into DST (or SST) with an existing DST/SST profile that has the authority to create new DST/SST profiles. There already is a QSECOFR DST/SST profile that you would use to create your first DST/SST profile. Assign the security capabilities that you want the new DST/SST profile to have. It can have the same name as or a different name from any existing user profile. — Tom

By: didinu

didinu — Tue, 04 Dec 2012 12:26:24 +0000

Thanks Tom,
I am having another doubt, I want to use DST login, for that I need to create new QSECOFR profile or I can use the one which was already created by IBM..?

By: TomLiotta

TomLiotta — Tue, 04 Dec 2012 00:32:58 +0000

You can not create a QSECOFR profile (without IBM assistance). You are probably asking about creating a new profile with *SECOFR user class and all authorities that go with that user class.

Just sign on as QSECOFR and run CRTUSRPRF for the new profile and specify *SECOFR for the user class. Leave authorities as the default values for the user class. Once created, you can sign on with that profile and begin working as a local security officer, including creating another *SECOFR profile.

After you have a local *SECOFR profile, you should avoid signing on with QSECOFR unless you have directions from IBM to do it. That means that even 3rd-party vendors will not need to require QSECOFR. You can use your local *SECOFR instead of QSECOFR.

If you need to use security officer authority or ownership, use your *SECOFR profile. Do not assign to QSECOFR (nor any other IBM-supplied profile) except perhaps as a temporary state before changing the assignment to a proper profile.

Creation of a local security officer is done the same as any other profile. You need to be signed on with a profile that has enough authority to make the assignments. When you create your first *SECOFR profile, the only profile you can use is QSECOFR. After that, you don’t need QSECOFR except for IBM requests and emergencies like deleting all local *SECOFR profiles and re-creating a new first one.

Tom