Examine job log of active job running under profile with *ALLOBJ special authority

Examine job log of active job running under profile with *ALLOBJ special authority

Post by Jonathan B » Sun, 23 Jul 2006 05:01:08


Does anyone know why there is a restriction on users with *JOBCTL
special authority, but who lack *ALLOBJ special authority, being unable
to view the job log of an active job running under a profile that has
*ALLOBJ? This seems to have been an issue for quite some time; there
was a somewhat, um, testy exchange over it in this group back in 1999:
http://www.yqcomputer.com/

It still is an issue. We just had a case of a developer who needs to
monitor and potentially debug some jobs that run under QPGMR profile.
Both the developer and QPGMR are of user class *PGMR, but QPGMR has
*ALLOBJ, while the developer does not. The developer profile does have
*JOBCTL.

The application administration function of iSeries Navigator has the
specific ability to grant users with *JOBCTL but without *ALLOBJ the
ability to look at active job logs for jobs running under profiles that
have *ALLOBJ. Also, the same access can be granted using the CHGFCNUSG
(Change Usage Function) command with a function ID of
QIBM_ACCESS_ALLOBJ_JOBLOG. In addition, I found that making QPGMR one
of the developer's supplemental group profiles also enabled her to look
at the job logs of active jobs running under QPGMR (not sure what other
security holes that might open, though.)

How to resolve her specific problem is clear. What isn't clear to me
is why it's a problem in the first place. What is the security issue
concerning a non-*ALLOBJ user looking at the active job log for a
profile that has *ALLOBJ?
 
 
 

Examine job log of active job running under profile with *ALLOBJ special authority

Post by jsev9 » Tue, 25 Jul 2006 07:20:11


First and foremost - why does QPGMR have *ALLOBJ authority? Are you
running at security level 10 or 20? The default authorities for QPGMR
at security level 30 and above are *JOBCTL and *SAVSYS therefore you
are either running at security level 10 or 20 or you have modified the
profile - both situations are a very bad idea..


Adding QPGMR as a group profile is also a bad idea - you have now given
your programmer *ALLOBJ authority which is why they can view the
joblog.



One way around the problem is to create your own custom DSPJOBLOG
command which adopts the authorities of an *ALLOBJ profile. I don't
know why IBM require additional authority to view these joblogs however
IMO this is not the issue. To me, the issue you are experiencing is one
of poor security design. I am assuming that these jobs are nightly
batch jobs rather than system jobs. Questions that come to mind are:
Why have you modified QPGMR profile
Why are you running jobs under an *ALLOBJ profile
Why are you running your nightly batch jobs under a system profile
If the anwer to these questions is so the batch jobs have access to
your application, then you should be visiting your security setup. As
a start, you should create a user ID purely to own your application
objects. You should create one or more group profile and give them
access to these objects. You can then run your batch jobs either under
the owning profile or a group profile. That will give it access to all
your application objects without the need for *ALLOBJ.

 
 
 

1. "germany jobs" "germany job sites" "germany job search" "jobs in germany" "german jobs" "germany jobs it" "germany jobs for foreigners" "germany jobsite" "germany jobs in english" on http://jobs-germany.blogspot.com/

2. "germany jobs" "germany job sites" "germany job search" "jobs in germany" "german jobs" "germany jobs it" "germany jobs for foreigners" "germany jobsite" "germany jobs in english" on http://jobs-germany.blogspot.com/

3. "germany jobs" "germany job sites" "germany job search" "jobs in germany" "german jobs" "germany jobs it" "germany jobs for foreigners" "germany jobsite" "germany jobs in english" on http://jobs-germany.blogspot.com/

4. "germany jobs" "germany job sites" "germany job search" "jobs in germany" "german jobs" "germany jobs it" "germany jobs for foreigners" "germany jobsite" "germany jobs in english" on http://jobs-germany.blogspot.com/

5. "germany jobs" "germany job sites" "germany job search" "jobs in germany" "german jobs" "germany jobs it" "germany jobs for foreigners" "germany jobsite" "germany jobs in english" on http://jobs-germany.blogspot.com/

6. "JOBS IN ALABAMA" "ALABAMA JOBS" "ACCOUNTS JOBS IN ALABAMA" "FINANCE JOBS IN ALABAMA" ON http://jobsinalabama-usa.blogspot.com/ "USA JOBS" "JOBS IN USA" "JOBS IN USA STATES" "MEDICAL JOBS IN ALABAMA"

7. Job history for scheduled job not found...but the job is running

8. "JOBS IN FINLAND" "JOBS FINLAND" "FINLAND JOBS" "ACCOUNTS JOBS IN FINLAND" "FINANCE JOBS IN FINLAND" "AGRI JPBS IN FINLAND" "MEDICAL JOBS IN FINLAND" ON JOBS http://jobs-in-finland.blogspot.com/

9. "finland jobs" "google finland jobs" "helsinki finland jobs" "finland jobs english" "jobs in finland for foreigners" "jobs in finland for english" "jobs finland" http://jobs-in-finland.blogspot.com