Display the scheduler on iSeries system

15 pts.
Tags:
AS/400
IBM iSeries
iSeries Access
How can I remove access to WRKJOBSCDE,CHGJOBSCDE, ADDJOBSCDE and leave a user with access to a browse command?

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    First, describe what you want to accomplish. Why should some user not be able to schedule their jobs? Note that SBMJOB can also be used to 'schedule' a job, so restricting ADDJOBSCDE isn't enough. Second, the most common reason to be concerned about the scheduler is that users have been incorrectly given *JOBCTL special authority which gives them authority to control any other user's jobs. The correct action is to remove *JOBCTL from the user profile.Third, what "browse command" are you thinking about? If we know what your business problem is, we might know a better way to resolve it.  -- Tom
    125,585 pointsBadges:
    report
  • scheduler1
    Due to segregation of duties I need to split access to job scheduler. One team needs to have full access the other team needs to be able to view only i.e look at scheduler , look at parameters in the job and so on. I want to give them such a command to allow 'browse' access.
    15 pointsBadges:
    report
  • TomLiotta
    If a user has *JOBCTL special authority, there is no authority that can stop them from changing someone else's job. That's why it's called a special authority. That's why it should only be given to users who are supposed to be able to change any job in the system.   If users don't have *JOBCTL, they can't change another user's jobs on the job scheduler unless they have authority to the user profile of the job. Don't give authority if you don't want it used.   If you don't want jobs changed, don't give *JOBCTL. If the users don't have *JOBCTL, they can only control their own jobs. Users can always control their own jobs even without *JOBCTL. That's how "separation of duties" works.   There should be no problem with the job scheduler unless improper special authorities have been granted. You can't override special authorities.   You can revoke *CHANGE authority to the job scheduler object, and that will stop changes to the scheduler. But it doesn't stop changes to the scheduled jobs. A 'separation of duties' should apply to the jobs, not the scheduer.   So, start assigning *USE authority to object QDFTJOBSCD, type *JOBSCD, in library QUSRSYS, for every user you want to restrict, or change *PUBLIC authority to *USE and explicitly add each profile you want to have *CHANGE. Just don't expect that jobs can't be changed, and be prepared to maintain authorities whenever new users start or old users change.   It'd be a lot easier if users simply had appropriate authorities. Then there wouldn't be ways around it that you're always going to have to be searching for. As long as you set your security scheme with known holes, there will always be trouble possible.   Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following