|
Looks like some kind of solution - the reason I went the API route is
from a statement you made in one of your posts -
we don't want to necessarily just adopt the authority of another user, weSo I was responding to the end of that and took it to mean you want the
literally need it to run under the "other" user profile...
job user (or current user) to BE that "other" user.
But I probably missed something, or requirements kind of got "swapped"!
:)
Happy New Year
Vern
On 12/27/2019 8:21 AM, Jay Vaughn wrote:
so may have stumbled upon a much simpler solution where I may have beenprofile.
unclear about not needing tightened security with new SFTPUSER user
we
in our test layer, i simply copied a basic user profile to a new SFTPUSER
profile.
Both are under same group profile and owned by *GRPPRF.
I can easily submit the job from basic user profile to user(SFTPUSER) and
this accomplishes what I need without dinking with security.
I guess what I failed to mention is that SFTPUSER does NOT need to have
enhanced security around it compared to basic user profiles.
Jay
On Fri, Dec 27, 2019 at 9:03 AM DrFranken <midrange@xxxxxxxxxxxx> wrote:
I think where Jim was going is the SBMJOB command goes into that CLP
that adopts authority. This way the job user doesn't have authority on
their own to submit jobs with other user's authority. However when that
program is called it adopts enough authority to be able to submit the
job under another profile. So that CLP is primarily just one command
SBMJOB. The input parameters are basically just whatever you need to
fill out the SBMJOB such as date ranges or other values.
In theory you could also make it very generic and have the parameter be
the entire command to run. But, um WARNING WARNING WARNING that is a
massive security hole!! Because now they could run PWRDWNSYS for example
or my favorite command GIVBIGRAIS.
- Larry "DrFranken" Bolhuis
www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.
On 12/27/2019 8:49 AM, Jay Vaughn wrote:
jim thank you...
we don't want to necessarily just adopt the authority of another user,
willliterally need it to run under the "other" user profile...
the reason for this is we have a pgmA that is a clp that runs an sftp
process.
When pgmA is invoked and ran, we don't know if this particular sftp
isbe
password or ssh key auth.in
But we do know if it will be sshkey or password when we code the sbmjob
our application.
And if it is ssh key then we want to sbmjob user(sftpuser). (sftpuser
reallythe sole userprofile for holding all the ssh keys.)midrangel@xxxxxxxxxxxxxxxxx>
jay
On Fri, Dec 27, 2019 at 8:43 AM Jim Oberholtzer <
wrote:
Jay:
I’m not certain what the use case is here, but I’ll bet you don’t
authoritywant to give everyone that authority, or at least based on your note a
limited number.
The best way to accomplish this in my view is with an adopted
profile.control.CLP wrapper.
Take in parms that you need for the job, and craft a SMBJOB command as
needed. Create your own command if it makes sense to do so.
That way you can accomplish your goal and maintain some level of
inI’ve even seen those programs encode a journal entry to a user journal
order to memorialize the job for later audit.
Jim Oberholtzer
Agile Technology Architects
On Dec 27, 2019, at 7:25 AM, Jay Vaughn <jeffersonvaughn@xxxxxxxxx>wrote:
so we have a need to submit a job under another specific user
isbut
what is the best/cleanest method for implementing this?
obviously we can just specify the new user on the sbmjob user() parm,
what about each individual user profile that may do the sbmjob, what
mailinguser()the
best/cleanest way to maintain those user authorized to the sbmjob
user profile?
tia
jay
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
affiliatelist
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxxquestions.
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
Help support midrange.com by shopping at amazon.com with our
affiliatelistlink: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our
list--link: https://amazon.midrange.com
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.