Beginning with SAP kernel release 7.20, it was required to install and activate the SAP Host Agent on any server or partition that was running one or multiple SAP instances. The SAP Host Agent is providing several life-cycle management services, such as operating system monitoring, database monitoring, system instance control and provisioning. To avoid authority problems when performing their tasks, several of the SAP Host Agent processes are running under user profile QSECOFR, even when the SAP Host Agent was started by a different user profile.

In the past, it was required to keep user profile QSECOFR enabled and maintain a valid, non-expired password in order to allow the user switch to QSECOFR. This had been documented in SAP Note 1031096, and when QSECOFR was disabled or had an expired password, the SAP Host Agent was not working correctly.

However, some companies have security policies in place that do not allow functional user profiles which can be used by more than one person. Instead of using QSECOFR, the administrators are using their own named user profiles, so that you can identify the responsible person for a faulty activity by auditing. In the case of SAP Host Agent, it is not easy to switch to a user profile other than QSECOFR, so a different path was chosen.

Beginning with SAP Host Agent release 7.21, patch level 43, the requirement for an enabled user profile QSECOFR with a valid, non-expired password has been lifted. The patch level is available on the SAP Software Download Center since July 24^th, 2019, and SAP Note 1031096 has been updated accordingly. So, if your security policy requires you to disable user profile QSECOFR on your system, make sure to have SAP Host Agent release 7.21, patch level 43 installed before doing so. In addition to the authority enhancement, this patch level also contains the necessary changes to support the new operating system release IBM i 7.4.