Developer Forum

Does anyone know why there is a restriction on users with *JOBCTL
special authority, but who lack *ALLOBJ special authority, being unable
to view the job log of an active job running under a profile that has
*ALLOBJ? This seems to have been an issue for quite some time; there
was a somewhat, um, testy exchange over it in this group back in 1999:
http://www.yqcomputer.com/

It still is an issue. We just had a case of a developer who needs to
monitor and potentially debug some jobs that run under QPGMR profile.
Both the developer and QPGMR are of user class *PGMR, but QPGMR has
*ALLOBJ, while the developer does not. The developer profile does have
*JOBCTL.

The application administration function of iSeries Navigator has the
specific ability to grant users with *JOBCTL but without *ALLOBJ the
ability to look at active job logs for jobs running under profiles that
have *ALLOBJ. Also, the same access can be granted using the CHGFCNUSG
(Change Usage Function) command with a function ID of
QIBM_ACCESS_ALLOBJ_JOBLOG. In addition, I found that making QPGMR one
of the developer's supplemental group profiles also enabled her to look
at the job logs of active jobs running under QPGMR (not sure what other
security holes that might open, though.)

How to resolve her specific problem is clear. What isn't clear to me
is why it's a problem in the first place. What is the security issue
concerning a non-*ALLOBJ user looking at the active job log for a
profile that has *ALLOBJ?

First and foremost - why does QPGMR have *ALLOBJ authority? Are you
running at security level 10 or 20? The default authorities for QPGMR
at security level 30 and above are *JOBCTL and *SAVSYS therefore you
are either running at security level 10 or 20 or you have modified the
profile - both situations are a very bad idea..


Adding QPGMR as a group profile is also a bad idea - you have now given
your programmer *ALLOBJ authority which is why they can view the
joblog.



One way around the problem is to create your own custom DSPJOBLOG
command which adopts the authorities of an *ALLOBJ profile. I don't
know why IBM require additional authority to view these joblogs however
IMO this is not the issue. To me, the issue you are experiencing is one
of poor security design. I am assuming that these jobs are nightly
batch jobs rather than system jobs. Questions that come to mind are:
Why have you modified QPGMR profile
Why are you running jobs under an *ALLOBJ profile
Why are you running your nightly batch jobs under a system profile
If the anwer to these questions is so the batch jobs have access to
your application, then you should be visiting your security setup. As
a start, you should create a user ID purely to own your application
objects. You should create one or more group profile and give them
access to these objects. You can then run your batch jobs either under
the owning profile or a group profile. That will give it access to all
your application objects without the need for *ALLOBJ.