The role of the security administrator is of prime importance to the security of a system and is therefore subject to special handling. Upon delivery, the privilege of the security administrator is assigned to the user ID SYSPRIV.
The role of the security administrator cannot be assigned to another user ID while the system is running. If a user ID other than SYSPRIV is to assume the role of the security administrator, the user ID can be changed with the startup parameter service. For this, the following prerequisites must be fulfilled:
Only a single user ID may be the security administrator, which means that only one user ID may be specified in the startup parameter file.
The specified user ID must already exist.
The specified user ID must not possess any privilege set on the home pubset and may not possess any individual privileges except STD-PROCESSING or (already) SECURITY-ADMINISTRATION.
The user IDs TSOS and SYSAUDIT must not be specified.
The user ID must not be the user manager or the group manager on the home pubset.
These conditions are checked during startup. If this check detects an error, or if no entry for the user ID of the security administrator exists in the startup parameter file, the values from the previous session remain unchanged except where this startup is a first start. In this case, the user ID SYSPRIV becomes the user ID of the security administrator.
The restrictions regarding the nomination of the security administrator and SAT file manager with regard to the user IDs and co-existing privileges and rights may be canceled if required (see section "Centralized administration").
If, during the current session, a pubset on which the user ID is the manager of a user group is imported, the SRPM administration ensures that the security administrator cannot execute any “illegal” commands, although his/her privilege as a group manager would normally permit the use of these commands. The privilege SECURITY-ADMINISTRATION overrides this privilege.
The following must be entered in the startup parameter file in order to change the user ID which is to play the role of the security administrator:
/BEGIN SRPM SECADM USER-ID=<USERID> /EOF
<userid> must be replaced with the name of the new user ID.
Startup executes the following steps:
The privilege SECURITY-ADMINISTRATION is set for the new user ID and the privilege STD-PROCESSING is withdrawn.
SAT logging is activated; for changing the logging setting, the user ID is regarded as not switchable.
The privilege SECURITY-ADMINISTRATION is withdrawn from the user ID which was the security administrator in the previous session and the privilege
STD-PROCESSING is set for this user ID.SAT logging remains active for this user ID, but it can be deactivated if desired.