|
Another point would be over all security. That job description is well known. If it's changed to a high authority profile, you leave a potential security hole in plain view that can be exploited in ways you would not intend.
A call or the submitted job would be significantly more secure. Even then, that job should check itself to be sure its running in an appropriate environment and time.
Jim Oberholtzer
Agile Technology Architects
On Mar 7, 2018, at 5:05 PM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx> wrote:
Don,
I have similar issues with QPGMR on QSTRUP.
One of the things I've done is the processes that need be started by a certain user is to do SBMJOB with that user.
This also solve the authority issue.
Keep in mind, if you start jobs with QSECOFR, if you ever need to view any of those jobs, you need to be a user with QSECOFR authority, or equivalent.
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Don Brown
Sent: Wednesday, March 07, 2018 6:54 PM
To: Midrange Systems Technical Discussion
Subject: System startup porgram and adopted authority
System is V7R3
When the system IPL's the startup program specified in the system value QSTRUPPGM is run.
The job is started with job description QSYS/QSTRUPJD and by default this job description has user profile QPGMR
I had always changed the startup program to be owned by QSECOFR and use
USRPRF(*OWNER)
I believed the program would then adopt QSECOFR authority.
I am looking at a joblog for the startup program where an error occurred as the user QPGMR was not authorised to the CHGNFSEXP as the profile does not have IOSYSCFG special authority.
This is true, QPGMR does not have IOSYSCFG and QSECOFR does have IOSYSCFG
My thought is to change the user in the QSYS/QSTRUPJD to QSECOFR.
But I do not understand why the program is not running with QSECOFR authority ?
Any suggestions from the group ?
Don Brown
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link: http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link: http://amzn.to/2dEadiD
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.