Note that the risk is generally because *JOBCTL allows the user to control other users’ jobs. You don’t need *JOBCTL to control your own jobs.

Tom

The only issue I’ve seen come up over the years that users cry for *JOBCTL is to get into other user’s spooled files when people are out of the office. But I’ve typically implemented user groups for that type of access.

It’s a valid level of authority for your system operators and administrators since they’re more likely to need troubleshoot user jobs and subsystem issues, but security officers may want to see security auditing in place for anyone who’s been granted *JOBCTL authority.

Here’s a great article on the topic: http://systeminetwork.com/article/what-jobctl-special-authority-anyway
(From Article)
If a user has JOBCTL and is command line restricted with LMTCPB(*YES), he can STILL end your interactive subsystem by going to a command prompt on a Windows PC with iSeries Access loaded and run the following command:

RMTCMD ENDSBS QINTER

This will end your interactive subsystem, which is really BAD NEWS! And what if the user ends the controlling subsystem? Really, really BAD NEWS!

…a Windows PC with iSeries Access loaded…

Note that iSeries Access isn’t actually required, nor even a Windows PC. That is, the RMTCMD executable is indeed part of iSeries Access; but rexec() is all that’s usually needed from any remote system of any kind in the local network (or elsewhere in many cases). RMTCMD does make things easy, though.

Tom

If it is a normal user they dont need job control (especially in production). if you give them job control and they have cmd line, they can practically do what they want by controlling everyone’s job