Thanks for your help. If it's any consolation, the only folks with access
to the program will be 5 programmers who, prior to my original
implementation of this program, did have *ALLOBJ all the time. My original
program did not use journal entries but only printed a joblog of their jobs.
So I feel like I've added *some* security by adding the QAUDJRN entries.
Eventually, we will be able to execute *SPENDMONEY and get a 'real' solution
Also, I have bookended the main part of the program with e-mails to the
Director of IT, the Info Sec Officer, and the Programming Manager, the first
indicating that so-and-so is calling the LOGCMD program and providing the
job name, user name, and job number and the last indicating that they have
ended it. The latter e-mail includes an attachment showing all journal
entries created by the user between the initialization of the program and
the end of the program.
Ed Fishel" <edfishel@xxxxxxxxxx> wrote
"I do not like the idea of giving any user access to a command line where
*ALLOBJ authority. Doing this is almost as bad as giving them *ALLOBJ all
of the time. They can do virtually anything on the system. So the only
group of people I would give authority to run the following program are
those people that I would be willing to give two user profiles, one with
*ALLOBJ authority and one without. With this program you only have to
create the user profile without *ALLOBJ authority. So most of the time they
are running without *ALLOBJ authority."
This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact