Newsletters   Subscriptions  Forums  Store   Career  Media Kit  About Us  Contact  Search   Home 
fhg
Volume 5, Number 37 -- October 5, 2005

Shutting Down WRKSBMJOB Options


Hey, Joe:


I want to hide some of the options on the Work with Submitted Jobs command display (WRKSBMJOB) from my users. I don't want certain user IDs to run option '2'=Change Job or option '3'=Hold job. I need to do this for specific user IDs belonging to a certain group profile. For other users, I'd like these options to be usable. Do you have any suggestions?

--Pankaj

The simple way to do this would be to limit authority to the commands that WRKSBMJOB calls when you type in option '2' or option '3'. Option '2' calls the Change Job command (CHGJOB) while option '3' calls the Hold Job command (HLDJOB). You can limit the authority of your users to access each of these commands by following this steps.

For either of the commands you want to limit, enter the Edit Object Authority command (EDTOBJAUT) as follows:

EDTOBJAUT OBJ(command_name) OBJTYPE(*CMD)

What you will probably see if that the public user (*PUBLIC) has use authority (*USE) and the owner of the object has all authority to manipulate that object (*ALL). Public *USE authority means that anyone can call the command. If you wanted to change your authorities to only allow certain groups of users to run the HLDJOB or CHGJOB commands, you could change the object authorities on those commands to the following:


User Authority
*PUBLIC *EXCLUDE
GROUP_PROFILE 1 *USE
GROUP_PROFILE 2 *USE
OBJECT OWNER *ALL

By changing public user access to *EXCLUDE, you are revoking public use authority so that a user or a group profile has to be explicitly authorized to the command in order to use it. If the user belongs to a group profile that is authorized to run this command (*USE authority), he can run the command. If he isn't in an authorized group, he's out of luck. The object owner should usually have *ALL authority to the command. If you do this for both the HLDJOB and CHGJOB commands, that should solve this problem for you and prevent unauthorized users from accessing these options.


That's the easy way to do this, but this technique does have two downsides.

First, limiting access to these commands will affect any situation where the commands are run, not just when they are executed during options '2' and '3' of the WRKSBMJOB command. There may be some legitimate cases where your users will need to change or hold their jobs, so think twice about your requirements before you take away their access.

The second problem occurs when you want to limit access to these commands for user profiles that have all object authority (*ALLOBJ) on the system. For *ALLOBJ users, there is no way to restrict them from accessing any object on the system. In order to restrict these users, you may need to review their access and redefine their user profile special authorities back to a level that is more compatible with a controlled system. Not everyone needs to be a security officer to get work done on the system and--in general--the fewer people who have *ALLOBJ authority on your system, the better. For more information on user authorities, see A Checklist for Creating OS/400 User Profiles, Part I.

--Joe

Sponsored By
PATRICK TOWNSEND & ASSOCIATES

Deploy. Run. Manage. Succeed.

Alliance AES/400
Database Field Encryption

· Encrypt credit card, social security, pin numbers and other sensitive data.
· Easy to use with RPG or COBOL - sample code included.
· Get compliant - SOX, Privacy notification, GLBA, Etc.
· Free 30-day trial. Fully functional software - Not a demo.

DB2 field encryption with Alliance AES: Encrypt and decrypt individual fields in AS/400 DB2 database files. Alliance APIs can be used in RPG and Cobol applications including older OPM applications. Alliance AES encryption for DB2 fields integrates with Alliance key management for the secure storage of AES keys.

DB2 file encryption with Alliance AES: Encrypt any DB2 database file with Alliance AES/400. You can specify that the data be converted to ASCII or retained in the original EBCDIC character set. You can also specify that the pass phrase should be converted to ASCII for decryption on an ASCII system such as Microsoft Windows. Alliance DB2 file encryption integrates with Alliance AES key management.

IFS file encryption with Alliance AES: You can encrypt and decrypt IFS (Integrated File System) files with Alliance AES encryption commands. Once encrypted files can be decrypted on an AS/400 or Windows PC or Server platform. You can also use the free Alliance Windows AES encryption application to encrypt files on a Windows platform for decryption on the AS/400. IFS file encryption integrates with Alliance AES key management for secure key storage.

AES self-decrypting archives: Alliance AES/400 can encrypt files into a self-decrypting archive. A self-decrypting archive is a Windows executable program. You can run the self-decrypting archive, enter a pass phrase, and decrypt and extract the file. If run from a command line you can pass the program parameters for the decryption. This is helpful if you are automating the decryption process. If you run the self-decrypting archive program without parameters it presents a Windows GUI dialog for pass phrase and other decryption information.

Report distribution with AES encryption: When Alliance AES encryption is used with the Alliance FTP Manager application you can automatically distribute reports in encrypted or self-decrypting archive format. Reports can be sent from one or more output queues, and reports can be selectively routed from the output queue.

AES key management: Alliance AES/400 provides a complete key management facility to help you securely store keys and pass phrases. All application program interfaces and commands allow the use of a named AES key. The Alliance AES key manager automatically backs up the key store when keys are added or changed.

Windows encryption application: Alliance AES encryption includes a Windows application that you can freely distribute to provide encryption and decryption services. Files encrypted on a Windows platform with the Alliance application can be decrypted on the AS/400. Files encrypted on the AS/400 can be decrypted on the Windows platform.

Sample code: The Alliance AES/400 product includes sample RPG and ILE-RPG source code that demonstrate how to use the encryption APIs. There are also sample CL programs that show how to use the Alliance commands to encrypt and decrypt files, and create self-decrypting archives.

More information:
Patrick Townsend & Associates, Inc.
7700 Earling Street NE
Olympia, WA 98506
Voice: (360) 357-8971
Fax: (360) 357-9047
Email: Info@patownsend.com
Web: www.patownsend.com

Click here for 30 day trial
Technical Editors: Howard Arner, Joe Hertvik, Ted Holt,
Shannon O'Donnell, Kevin Vandever
Contributing Technical Editors: Joel Cochran, Wayne O. Evans, Raymond Everhart,
Bruce Guetzkow, Marc Logemann, David Morris
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

THIS ISSUE
SPONSORED BY:

WorksRight Software
iTera
Patrick Townsend & Associates


Four Hundred Guru

BACK ISSUES

TABLE OF
CONTENTS
REXX Can Talk to Other Languages

The Dangers of Dynamic SQL

Shutting Down WRKSBMJOB Options


The Four Hundred
IBM Raises the Curtain a Little on Future Power Chips, i5/OS V5R4

IDC Quantifies the iSeries Payback for Server Consolidation

Will IBM Marry Off WebFacing to HATS?

Shaking IT Up: Just When You Thought It Was Safe to Use Your New Software

Four Hundred Stuff
Bsafe Steps Forward with New OS/400 Security Tools, Partners

New SkyView Security Tool Assists with Regulatory Compliance

Bytware Unveils Anti-Virus Support for iSeries Linux

Lakeview Crusades Against HA Complexity

Four Hundred Monitor


Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc. (formerly Midrange Server), 50 Park Terrace East, Suite 8F, New York, NY 10034
Privacy Statement