|
I think where Jim was going is the SBMJOB command goes into that CLP
that adopts authority. This way the job user doesn't have authority on
their own to submit jobs with other user's authority. However when that
program is called it adopts enough authority to be able to submit the
job under another profile. So that CLP is primarily just one command
SBMJOB. The input parameters are basically just whatever you need to
fill out the SBMJOB such as date ranges or other values.
In theory you could also make it very generic and have the parameter be
the entire command to run. But, um WARNING WARNING WARNING that is a
massive security hole!! Because now they could run PWRDWNSYS for example
or my favorite command GIVBIGRAIS.
- Larry "DrFranken" Bolhuis
www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.
On 12/27/2019 8:49 AM, Jay Vaughn wrote:
jim thank you...be
we don't want to necessarily just adopt the authority of another user, we
literally need it to run under the "other" user profile...
the reason for this is we have a pgmA that is a clp that runs an sftp
process.
When pgmA is invoked and ran, we don't know if this particular sftp will
password or ssh key auth.in
But we do know if it will be sshkey or password when we code the sbmjob
our application.midrangel@xxxxxxxxxxxxxxxxx>
And if it is ssh key then we want to sbmjob user(sftpuser). (sftpuser is
the sole userprofile for holding all the ssh keys.)
jay
On Fri, Dec 27, 2019 at 8:43 AM Jim Oberholtzer <
wrote:control.
Jay:
I’m not certain what the use case is here, but I’ll bet you don’t really
want to give everyone that authority, or at least based on your note a
limited number.
The best way to accomplish this in my view is with an adopted authority
CLP wrapper.
Take in parms that you need for the job, and craft a SMBJOB command as
needed. Create your own command if it makes sense to do so.
That way you can accomplish your goal and maintain some level of
inI’ve even seen those programs encode a journal entry to a user journal
butorder to memorialize the job for later audit.
Jim Oberholtzer
Agile Technology Architects
On Dec 27, 2019, at 7:25 AM, Jay Vaughn <jeffersonvaughn@xxxxxxxxx>wrote:
so we have a need to submit a job under another specific user profile.
what is the best/cleanest method for implementing this?
obviously we can just specify the new user on the sbmjob user() parm,
user()what about each individual user profile that may do the sbmjob, what isthe
best/cleanest way to maintain those user authorized to the sbmjob
listuser profile?list
tia
jay
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxxquestions.
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
link: https://amazon.midrange.com
Help support midrange.com by shopping at amazon.com with our affiliate
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
--To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.