System Security Level

PowerTech recommended setting:  40 or 50

Importance: High

Purpose: The different security levels and their meanings are listed below:

No Security. No password required, and user IDs are created for any user who requests signon. IBM no longer supports level 10.

Password Security. Every user must have a valid ID and password. Every user with a valid ID and password assumes root-level authority.

Resource Security. Object-level authority is enforced. A moderately knowledgeable programmer or operator can bypass resource-level security and assume root-level authority.

Operating System Security. Level 30 protection plus operating system integrity. It is possible for an extremely knowledgeable programmer with access to your system to elevate his or her level of authority – possibly as high as root-level authority.

Enhanced Operating System Security. Level 40 protection plus enhanced operating system integrity. A properly secured system at security level 50 is the best defense available, although other configuration issues may still persist that make even a level 50 machine vulnerable.

Risks and Concerns: Some Vendor Packages may not run under Security Level 40 and above.  Level 40 Security was introduced in 1991, so at this late date almost all vendors do support level 40. Use the QAUDJRN and the PGMFAIL Audit Level to determine if any non-compliant products are installed.  QSECURITY levels less than 40 have several well-known weaknesses.  QSECURITY level 40 or 50 is strongly recommended.