Steve,

Does someone know of a way to correct this behavior or of another
method of giving users (on-call programmers, actually) a way to respond
to
problems which would require *ALLOBJ authority without actually giving
them *ALLOBJ on their user profile?

We have a product that does this - with all the enhanced reporting and
notification features you'd expect from a mature commercial product.
It also has a FireCall(R) feature that allows programmers to be
temporarily elevated, while tracking all of their activity.

I have to agree with Ed though - the behavior you describe is very odd.
Only IBM can write T-CD entries to QAUDJRN, and once you put a user into
Command Audit mode, the system should write the entries until you do a
CHGUSRAUD command to take them back out. I haven't seen Wayne's code
either, so my guess is that if you need to stay with that utility,
you've got some debugging to do.

jte

--

John Earl, VP and Chief Technology Officer
PowerTech: 253-872-7788
Direct: 253-479-1408
Mobile: 206-669-3336
John.Earl@xxxxxxxxxxxxx




Email is an excellent way to communicate material that is not time
sensitive. If your communication is of a more urgent nature, please
call.

===========================
This email message and any attachments are intended only for the use of
the intended recipient named above and may contain information that is
privileged and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message or by telephone and delete the
message from your email system. Thank you.


-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Steve McKay
Sent: Thursday, May 01, 2008 8:58 AM
To: security400@xxxxxxxxxxxx
Subject: [Security400] Wayne Evans' LOGCMD

I have a copy of Wayne Evans' LOGCMD program/command. This
allows specified non-admin users to gain *ALLOBJ authority
and records the commands they enter to QAUDJRN by acquiring a
user profile handle, turning on *CMD auditing on the user
profile, and processing the entered commands as messages from
the external message queue. This works well if the user
stays on the QCMD screen that is initially displayed. If the
user enters some command that has it's own command line
(WRKACTJOB, for instance), any commands entered on that
command line do not get recorded in QAUDJRN.

Does someone know of a way to correct this behavior or of
another method of giving users (on-call programmers,
actually) a way to respond to problems which would require
*ALLOBJ authority without actually giving them *ALLOBJ on
their user profile?

TIA,

Steve


_______________________________________________
This is the Security Administration on the AS400 / iSeries
(Security400) mailing list To post a message email:
Security400@xxxxxxxxxxxx To subscribe, unsubscribe, or change
list options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx Before posting,
please take a moment to review the archives at
http://archive.midrange.com/security400.




This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].