To tighten system security and maintain compliance, you can restrict even very powerful users from changing certain critical security-related system values. Without this restriction in place, any user with *ALLOBJ, *SECADM, and, in some cases, *AUDIT special authority can modify these system security–related values. With the restriction in place, even the most powerful users can’t change this key group of system value settings.

QALWJOBITP	QAUTORMT	QLMTDEVSSN	QPWDLMTREP	QRETSVRSEC       QALWOBJRST 	QAUTOVRT	QLMTSECOFR	QPWDLVL	QRMTSIGN           QALWUSRDMN	QCRTAUT 	QMAXSGNACN 	QPWDMAXLEN  	QRMTSRVATR  
QAUDCTL 	QCRTOBJAUD 	QMAXSIGN 	QPWDMINLEN 	QSCANFS 
QAUDENACN 	QDEVRCYACN 	QPWDCHGBLK 	QPWDPOSDIF 	QSCANFSCTL 
QAUDFRCLVL 	QDSPSGNINF 	QPWDEXPITV 	QPWDRQDDGT 	QSECURITY
QAUDLVL 	QDSCJOBITV 	QPWDEXPWRN 	QPWDRQDDIF 	QSHRMEMCTL
QAUDLVL2 	QFRCCVNRST 	QPWDLMTAJC 	QPWDRULES 	QUSEADPAUT
QAUTOCFG 	QINACTMSGQ 	QPWDLMTCHR 	QPWDVLDPGM 	QVFYOBJRST 

To restrict the ability to change system values, run the CL command STRSST (Start System Service Tools) to start the System Service Tools (SST). Signon as to Service Tools with QSECOFR. Select option 7, “Work with system security.” Enter N (No) for the option “Allow change of security-related system values field” to restrict access to changing the system values.

When the need arises to change one of these security system values, the system administrator will want to be in the loop anyway. So you are not making a change that should be a hindrance to anyone who has a legitimate reason to change a security-related system value. You need to be involved in that decision.