|
rob@dekko.com wrote: > How can I prevent people from deleting their joblogs? > > We are using the IBM utility to clear these out. Too many times I've ran > into problems and discovered the joblogs gone. I had to secure the command > CLROUTQ because of one offender. > > Closest I've come to is creating my own DLTSPLF command and placing that > above QSYS in the system library list. That will probably hit the > majority. However, any bets that this wouldn't stop Op's Nav? Years ago we didn't extensive research on this topic in order to determine how to prevent a user from deleting the audit trail that DBU and DFU would generate when data was changed by programmers. We came to the conclusion that a user will always have authority to delete a spool file that they own. You just can't stop it. We were able to significantly hinder deletion to the point where we were reasonably sure it wasn't happening, but could not completely guarantee that we'd stop it. The essense of the solution was this... Attach a data queue to the outqueue in question. Every time a spool file appears in the outq in the 'RDY' status, an entry is generated into the data queue. A never ending job (running under a profile caleed NETSPOOL, having *SPLCTL special authority, and no one is authorised to this profile or the objects that it owns) would then pluck the entry off of the out queue and SNDNETSPLF to another out queue. This essentially changes the spool file's owner. Now all that is needed is to properly secure the new spool file (outq really) so that the user can read, but not change or delete the spool file. A bit convoluted, but it was fairly effective. If it's a solution that you are interested in, and you're patient, I'll scurry around and try to find the CL code that made all of this work. jte P.S. For you security sleuths out there: there is at least one potential security flaw in this design that made us unable to gauranty that no one deleted their own spool files. Can you find it? > > > Rob Berendt > > ================== > Remember the Cole! > > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- -- John Earl johnearl@400security.com The PowerTech Group --> new number --> 253-872-7788 PowerLock Network Security www.400security.com -- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.