First, describe what you want to accomplish. Why should some user not be able to schedule their jobs? Note that SBMJOB can also be used to ‘schedule’ a job, so restricting ADDJOBSCDE isn’t enough. Second, the most common reason to be concerned about the scheduler is that users have been incorrectly given *JOBCTL special authority which gives them authority to control any other user’s jobs. The correct action is to remove *JOBCTL from the user profile.Third, what “browse command” are you thinking about? If we know what your business problem is, we might know a better way to resolve it. — Tom
Due to segregation of duties I need to split access to job scheduler. One team needs to have full access the other team needs to be able to view only i.e look at scheduler , look at parameters in the job and so on. I want to give them such a command to allow ‘browse’ access.
If a user has *JOBCTL special authority, there is no authority that can stop them from changing someone else’s job. That’s why it’s called a special authority. That’s why it should only be given to users who are supposed to be able to change any job in the system.
If users don’t have *JOBCTL, they can’t change another user’s jobs on the job scheduler unless they have authority to the user profile of the job. Don’t give authority if you don’t want it used.
If you don’t want jobs changed, don’t give *JOBCTL. If the users don’t have *JOBCTL, they can only control their own jobs. Users can always control their own jobs even without *JOBCTL. That’s how “separation of duties” works.
There should be no problem with the job scheduler unless improper special authorities have been granted. You can’t override special authorities.
You can revoke *CHANGE authority to the job scheduler object, and that will stop changes to the scheduler. But it doesn’t stop changes to the scheduled jobs. A ‘separation of duties’ should apply to the jobs, not the scheduer.
So, start assigning *USE authority to object QDFTJOBSCD, type *JOBSCD, in library QUSRSYS, for every user you want to restrict, or change *PUBLIC authority to *USE and explicitly add each profile you want to have *CHANGE. Just don’t expect that jobs can’t be changed, and be prepared to maintain authorities whenever new users start or old users change.
It’d be a lot easier if users simply had appropriate authorities. Then there wouldn’t be ways around it that you’re always going to have to be searching for. As long as you set your security scheme with known holes, there will always be trouble possible.