Changing to level 30 from a lower level

When you change to security level 30 from a lower security level, the system changes all user profiles to update special authorities the next time you perform an initial program load (IPL).

Special authorities that the user was given at 10 or 20, but didn't have at 30 or above, are removed. Special authorities that the user was given that are not associated with their user class are not changed. For example, *ALLOBJ special authority is removed from all user profiles except those with a user class of *SECOFR. See Table 2 for a list of the default special authorities and the differences between level 10 or 20 and the higher security levels.

If your system has been running applications at a lower security level, you should set up and test resource security before changing to security level 30. Consider performing the following recommended activities:

  • For each application, set the appropriate authorities for application objects.
  • Test each application by using either actual user profiles or special test user profiles.
    • Remove *ALLOBJ special authority from the user profiles that are used for testing.
    • Grant appropriate application authorities to the user profiles.
    • Run the application using the user profiles.
    • Check for authority failures either by looking for error messages or by using the security audit journal.
  • When all applications run successfully with the test profiles, grant appropriate authorities for application objects to the production user profiles that should have access to the application.
  • If the QLMTSECOFR (limit security officer) system value is 1 (Yes), users with *ALLOBJ or *SERVICE special authority must be specifically authorized to devices at security level 30 or higher. You can give these users *CHANGE authority to selected devices, give QSECOFR *CHANGE authority to the devices, or change the QLMTSECOFR system value to 0.
  • Change the security level on your system and perform an initial program load (IPL).

If you want to change to level 30 without defining individual object authorities, make the public authority for application objects high enough to run the application. Run application tests to make sure no authority failures occur.