Dan,

1)  First of all, they need *JOBCTL if, and only if, they are looking at
jobs other than their own.  Correct me if you've discovered otherwise.  But
anyone who truly needs to look at someone else's joblog usually needs
*JOBCTL authority for other reasons.
2)  Second,  if the job is running under a user profile with *ALLOBJ, then
they will need *ALLOBJ authority also.  I can't figure out why IBM came up
with this a few releases ago.  However, our workaround was to significantly
reduce the number of jobs running under special users with *ALLOBJ
authority.  Most of the time, there was no good reason.  Historically "Hey,
let's set up a user called MASTER.  And all WRKJOBSCDE jobs will run under
that user."

Rob Berendt

==================
A smart person learns from their mistakes,
but a wise person learns from OTHER peoples mistakes.



                    "Bale, Dan"
                    <D.Bale@handleman.co       To:     
<security400@midrange.com>
                    m>                         cc:
                    Sent by:                   Fax to:
                    security400-admin@mi       Subject:     [Security400] 
DSPJOBLOG needs *JOBCTL authority?
                    drange.com


                    09/26/2001 09:58 AM
                    Please respond to
                    security400






I am surprised that DSPJOBLOG requires *JOBCTL authority.  How does
someone assume "control" of a job by displaying the job log?

Regardless, I have a system operator-type user who needs to be able to
display the job log of jobs that are not his jobs.  Since (I believe) I
can not grant object authority to enable him to use the IBM command, I
am thinking that I will have to use adopted authority.  Since the CPP
for DSPJOBLOG is QMHDSPJL, could I just change the program to adopt
authority?  Just now looking that program up, it is owned by QSYS and
already runs under the *OWNER user profile; it is also set to use
adopted authority.  Since QSYS already has *JOBCTL authority, why is a
profile without this specific authority denied access to the command?

Advice on how to accomplish this would be greatly appreciated!

Dan Bale
IT - AS/400
Handleman Company
248-362-4400  Ext. 4952
D.Bale@Handleman.com


_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400)
mailing list
To post a message email: Security400@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/security400
or email: Security400-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/security400.







This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].