Dan, 1) First of all, they need *JOBCTL if, and only if, they are looking at jobs other than their own. Correct me if you've discovered otherwise. But anyone who truly needs to look at someone else's joblog usually needs *JOBCTL authority for other reasons. 2) Second, if the job is running under a user profile with *ALLOBJ, then they will need *ALLOBJ authority also. I can't figure out why IBM came up with this a few releases ago. However, our workaround was to significantly reduce the number of jobs running under special users with *ALLOBJ authority. Most of the time, there was no good reason. Historically "Hey, let's set up a user called MASTER. And all WRKJOBSCDE jobs will run under that user." Rob Berendt ================== A smart person learns from their mistakes, but a wise person learns from OTHER peoples mistakes. "Bale, Dan" <D.Bale@handleman.co To: <email@example.com> m> cc: Sent by: Fax to: security400-admin@mi Subject: [Security400] DSPJOBLOG needs *JOBCTL authority? drange.com 09/26/2001 09:58 AM Please respond to security400 I am surprised that DSPJOBLOG requires *JOBCTL authority. How does someone assume "control" of a job by displaying the job log? Regardless, I have a system operator-type user who needs to be able to display the job log of jobs that are not his jobs. Since (I believe) I can not grant object authority to enable him to use the IBM command, I am thinking that I will have to use adopted authority. Since the CPP for DSPJOBLOG is QMHDSPJL, could I just change the program to adopt authority? Just now looking that program up, it is owned by QSYS and already runs under the *OWNER user profile; it is also set to use adopted authority. Since QSYS already has *JOBCTL authority, why is a profile without this specific authority denied access to the command? Advice on how to accomplish this would be greatly appreciated! Dan Bale IT - AS/400 Handleman Company 248-362-4400 Ext. 4952 D.Bale@Handleman.com _______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@midrange.com To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/cgi-bin/listinfo/security400 or email: Security400firstname.lastname@example.org Before posting, please take a moment to review the archives at http://archive.midrange.com/security400.