Analyzing and Adjusting Profiles’ User Class- Moving to a Higher Security Level
The analysis for moving off of QSECURITY 20 begins with analyzing the profiles’ user class settings. To get this listing, we’ll make use of the QSYS2.USER_INFO IBM i Service:
I’ve included the currently assigned special authorities in my SQL so you can see what special authorities may potentially be stripped away when you IPL. I say “potentially” because the special authorities will be assigned based on the user’s user class, as shown in Table 3.1 from chapter 2 of the IBM i Security Reference manual.
Table 3.1: Table from chapter 2 of the IBM i Security Reference manual shows special assignments by user class.
I encourage you to assign users to a user class that best matches their job responsibilities. Special authorities may have been assigned throughout the years but may no longer be (or never were) necessary. Now is the perfect time to reduce excess special authorities. This means that most profiles should be assigned to the *USER user class.
Obviously, security and system administrators will likely be assigned to the *SECOFR user class. But you may have some service accounts that are designed to have *ALLOBJ special authority—perhaps a profile designated to run all job scheduler jobs. What do you do with this profile’s user class? You have two choices: leave it in the *USER user class and assign *ALLOBJ once the IPL has taken place or assign it to the *SECOFR user class. I prefer the former. It’s unlikely that any service account needs all special authorities. Assigning it to the *SECOFR user class may be convenient, but you risk leaving that profile with way more special authorities than are required. It’s likely that you’re going to have a list of profiles that need adjusting after the IPL, so add these service accounts to that list.
Another set of profiles you may need to adjust are your programmers—or at least the profile your programmers use to debug production issues. It’s likely that profile will need *JOBCTL special authority after the IPL has taken place. In this case, I’d assign the special authorities required to their group. Or, if they don’t belong to a group, take this opportunity to create a group for them and assign it *JOBCTL so you only have one profile to adjust after the IPL.