The numerous System Values on the IBM i are the main controlling system settings that determine how your system operates. For example, the System Value QCRTAUT determines what the *PUBLIC authority is for newly created objects. The System Value QALWOBJRST determines if there are any restrictions on the objects that can be restored on the system. The values QTIME and QDATE store the current system time and date respectively.
When you aren't the only one at your company who has security officer privileges or high levels of authority, one of these other powerful users can change the settings stored in these System Values. I have seen a case in which an unwise change to the QCRTAUT System Value caused the system to create objects with the wrong security settings.
In order to protect these high-impact, security-related System Values, IBM has provided a Lock/Unlock mechanism that's available only through System Service Tools (SST).
In order to access the Lock/Unlock setting, a user must have access to a Service Tools user ID and password. These Service Tools user IDs and passwords aren't the same as the operating system user IDs and passwords. These are special Service Tools user IDs, like 11111111, 22222222 and, yes, QSECOFR. But the Service Tools user QSECOFR is a different user than the OS QSECOFR, typically with a different password.
To access the System Values Lock/Unlock function, un the command Start System Service Tools (STRSST) and, when prompted, enter the QSECOFR user ID and SST password. You're then presented with the System Service Tools menu as shown here.
Select one of the following:
1. Start a service tool
2. Work with active service tools
3. Work with disk units
4. Work with diskette data recovery
5. Work with system partitions
6. Work with system capacity
7. Work with system security
8. Work with service tools user IDs and Devices
F3=Exit F10=Command entry F12=Cancel
Selected menu option 7 (Work with System Security). The following screen is then shown. To Lock the security-related System Values, enter option 2 in the option to "Allow system value security changes," and press ENTER. Specifying option 2 will prohibit anyone from making changes to the security-related System Values.
Work with System Security
Type choices, press Enter.
Allow system value security changes . . . . . 2 1=Yes, 2=No
Allow new digital certificates . . . . . . . 1 1=Yes, 2=No
Allow a service tools user ID with a
default and expired password to change
its own password . . . . . . . . . . . . . . 1 1=Yes, 2=No
What System Values are Protected from Modification?
You obviously can't restrict changes to all System Values by all users. That would prevent the date from changing at midnight and prevent the time from changing during the day. The system also adjusts memory pools all during the day, which causes changes to storage allocation System Values such as QBASPOOL.
In IBM i 6.1, the following System Values are locked by the SST Lock/Unlock function:
QALWOBJRST QDEVRCYACN QPWDLMTAJC
QALWUSRDMN QDSCJOBITV QPWDLMTCHR
QAUDCTL QDSPSGNINF QPWDLMTREP
QAUDENACN QFRCCVNRST QPWDLVL
QAUDFRCLVL QINACTMSGQ QPWDMAXLEN
QAUDLVL QLMTDEVSSN QPWDMINLEN
QAUDLVL2 QLMTSECOFR QPWDPOSDIF
QAUTOCFG QMAXSGNACN QPWDRQDDGT
QAUTORMT QMAXSIGN QPWDRQDDIF
QAUTOVRT QPWDCHGBLK QPWDRULES
QCRTAUT QPWDEXPITV QPWDVLDPGM
QRETSVRSEC QSCANFSCTL QSSLCSLCTL
QRMTSIGN QSECURITY QSSLPCL
QRMTSRVATR QSHRMEMCTL QUSEADPAUT
QSCANFS QSSLCSL QVFYOBJRST
If you need to restrict changes to additional System Values, you can attempt to restrict access to the CHGSYSVAL command itself. But if your technicians have high levels of authority, restricting the use of the CHGSYSVAL command isn't effective in preventing changes to the System Values that aren't listed above.
I strongly encourage you to set the System Value lock in SST. If a protected System Value must be changed, it should only be done with the administrator's approval. In that case, the lock can be temporarily removed and the System Value changed. Once the System Value is changed, the lock can be reset by the administrator.