RE: [Security400] DSPJOBLOG needs *JOBCTL authority?

[bdietz@xxxxxx]

Dan we overcame this for our programming staff by writing our own "DSPJOB"
command.  All you nned to do is to have a cl program that accepts the fully
qualified job name and executes the DSPJOB JOB(123456/user/job) OPTION
(*JOBLOG) command.  The CL program needs to adopt the autority needed.


-------------------------
 Bryan Dietz
3X Corporation






                    "Bale, Dan"
                    <D.Bale@handleman.co       To:     
<security400@midrange.com>
                    m>                         cc:
                    Sent by:                   Subject:     RE: [Security400] 
DSPJOBLOG needs *JOBCTL authority?
                    security400-admin@mi
                    drange.com


                    09/26/2001 11:42 AM
                    Please respond to
                    security400






This is a multi-part message in MIME format.
--
[ Picked text/plain from multipart/alternative ]
"fundle"?  Uh, Anton, your translator garbled something there. <g>  You
know what, though, I think I like that word.  "Don't fundle around with
that!"

Anyway, I concur with what you said about "fiddling" with IBM objects.
Normally I would simply take the approach you suggested, creating a
separate program with parms to call the DSPJOBLOG command with *OWNER
adopted authority yada yada.  The problem with that scenario is that the
user was attempting to view the job log of an active job using option 10
from the "Work with Job" menu.  AFAIK, my only hope is to create my own
DSPJOBLOG command that appears higher in the library list than the one
in QSYS.  This command's CPP would do the things you suggested and I
presume this would work as a solution.  This assumes that option 10 does
not qualify the DSPJOBLOG command (and how would one determine that?)

But what a mess!  Now I have to create a new library that has to be put
above QSYS in the system library list by changing the QSYSLIBL system
value.  Our QA & Security Audit teams will have a fun time with that.

Dan Bale
IT - AS/400
Handleman Company
248-362-4400  Ext. 4952
D.Bale@Handleman.com

> -----Original Message-----
> From:         Anton Gombkötö [SMTP:gombkoetoe@assoft.com]
> Sent:         Wednesday, September 26, 2001 11:20 AM
> To:           security400@midrange.com
> Subject:           Re: [Security400] DSPJOBLOG needs *JOBCTL authority?
>
> Dan,
>
> I wouldn't fundle around with IBM's commands or command processing
> programs.
> PTF's could remove your changes easily to mention just one reason.
>
> I'd create a little program with the DSPJOBLOG with the desired parms
> in it
> and change this program to use *OWNER rights. And make a powerful
> enough
> user the owner of it. If you want, you can then set the access rights
> to
> this program to allow only your "system operator-type users" to use
> it.
>
>
>
> Mit freundlichen Grüssen / best regards
>
> Anton Gombkötö
>
> Avenum Technologie GmbH
> Wien - Mattsee - Stuttgart
> e-mail Office   :       mailto:Anton.Gombkoetoe@avenum.com
> Homepage        :       http://www.avenum.com
>
_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400)
mailing list
To post a message email: Security400@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/security400
or email: Security400-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/security400.