If security-administrator status is authorized on the system, then only a security administrator can issue the SYSADMIN COMMAND system command. If security-administrator status is not authorized on the system, then only a system administrator can issue the SYSADMIN COMMAND system command. For information about security-administrator authorization and setting security-administrator status, refer to the System Commands Reference.
When security-administrator status is authorized, a precedence rule is established between the SYSADMIN COMMAND and RESTRICT COMMAND system commands.
Only a security administrator is permitted to use the SYSADMIN COMMAND system command to add or delete restricted commands. Thus the security administrator determines the commands over which the system administrator usercode has control. The system administrator cannot change the set of commands that the security administrator has delegated in this way. The security administrator can give the system administrator exclusive rights to a particular command and option, or the security administrator can retain exclusive rights to the same command and option.
If a security administrator delegates a command to the control of a system administrator, then the security administrator is not permitted to use that command until it has been removed from the system administrator's control with the SYSADMIN COMMAND system command.
A security administrator can permit a command to be used by both a system administrator and a security administrator. This action is accomplished by naming the command using both the RESTRICT COMMAND and SYSADMIN COMMAND system commands.
A user with both security administrator and system administrator privileges is not subject to command restrictions.
SECAD –
When a security administrator is defined in the USERDATAFILE and ??SECAD – is entered, the system requires that the usercode and password of a security administrator be entered to authorize the action.
When a security administrator is not defined in the USERDATAFILE, authorization is not required.
When ??SECAD – is successful, the system SECADMIN option is assigned the value FALSE and there is no software enforcement of the definition of security administrator. Therefore, any usercode that is designated PU (Privileged User) in the USERDATAFILE can run Security Center or MAKEUSER and use USERDATA to alter all usercode attributes for all users in the USERDATAFILE.
