Hello,
Unless the USER parameter of the JOBD is set to a powerfull user (which would a rather strange/bad idea), just using a JOBD does not give you anymore authority and your example would not work.
So our JOBD here are well define and our auditors are ok with it.
But if you have the USER parameters of your JOBD setup with a powerfull user id, then your auditor should worry because all the people that have access to your SECJOBD can do things under a different ID masking any wrong doing using the SBMJOB you describe. Then identifying the person that did the "CLRLIB" would be difficult.
So it is not a question of who has *use right to the JOBD, but rather if the JOBD can give more access right with it's USER parameter.
Denis Robitaille
Chef de service TI - Solution Entreprise
Infrastructure et Opérations
Cascades Centre des technologies,
412 Marie Victorin
Kingsey falls(Québec) Canada J0A 1B0
T : 819 363 6130
-----Message d'origine-----
De : MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] De la part de Rob Berendt
Envoyé : 20 mai 2016 08:46
À : Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Objet : RE: SBMJOB adopted authority...
So, it's perfectly acceptable that any user can do SBMJOB CMD(CLRLIB LIB(PRODLIB)) JOBD(SECJOBD) USER(*JOBD) SBMJOB CMD(CHGUSRPRF QSECOFR PASSWORD(HITHERE)) JOBD(SECJOBD) USER(*JOBD) My auditors tend to believe differently.
If someone "just has to" submit such a job it's done from a program with adopted authority.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: Denis Robitaille <denis_robitaille@xxxxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 05/20/2016 08:34 AM
Subject: RE: SBMJOB adopted authority...
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
Hello,
I dont know who told you that *public *use was bad for JOBD but, in my
mind, that is perfectly acceptable.
Denis Robitaille
Chef de service TI - Solution Entreprise
Infrastructure et Opérations
Cascades Centre des technologies,
412 Marie Victorin
Kingsey falls(Québec) Canada J0A 1B0
T : 819 363 6130
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Gerald Magnuson
Sent: 19 mai 2016 17:27
To: midrange-l@xxxxxxxxxxxx
Subject: SBMJOB adopted authority...
ok, we do run adoptive authority, but we do have our *jobd's as *public
*use....
I am told that is bad.
I read stuff about adoptive authority and a submitted job, and a new call
stack....
but that doesn't address the CPF1411 error I am getting on the SBMJOB
command "not authorized to job description" when I change the *JOBDs to
*PUBLIC *EXCLUDE
I also read stuff about creating a different SBMJOB command, or adding
routing entries to our batch subsystems...
Is my only recourse, to create a *AUTL, to put on my *JOBD's, to only
allow those users I want to use those *JOBDs?
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
midrange.com
