5 pts.
AS/400 security
What are the security issues regarding giving JOBCTL to a User?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Straight from the Info Center;

The Job control (*JOBCTL) special authority allows a user to change the priority of jobs and of printing, end a job before it has finished, or delete output before it has printed. *JOBCTL special authority can also give a user access to confidential spooled output, if output queues are specified OPRCTL(*YES).

Risks: A user who abuses *JOBCTL special authority can cause negative effect on individual jobs and on overall system performance.

This should start the discussion,
Bill Poulin

Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • TomLiotta
    Note that the risk is generally because *JOBCTL allows the user to control other users' jobs. You don't need *JOBCTL to control your own jobs. Tom
    125,585 pointsBadges:
  • slack400
    The only issue I've seen come up over the years that users cry for *JOBCTL is to get into other user's spooled files when people are out of the office. But I've typically implemented user groups for that type of access. It's a valid level of authority for your system operators and administrators since they're more likely to need troubleshoot user jobs and subsystem issues, but security officers may want to see security auditing in place for anyone who's been granted *JOBCTL authority. Here's a great article on the topic: (From Article) If a user has JOBCTL and is command line restricted with LMTCPB(*YES), he can STILL end your interactive subsystem by going to a command prompt on a Windows PC with iSeries Access loaded and run the following command: RMTCMD ENDSBS QINTER This will end your interactive subsystem, which is really BAD NEWS! And what if the user ends the controlling subsystem? Really, really BAD NEWS!
    2,740 pointsBadges:
  • TomLiotta
    ...a Windows PC with iSeries Access loaded... Note that iSeries Access isn't actually required, nor even a Windows PC. That is, the RMTCMD executable is indeed part of iSeries Access; but rexec() is all that's usually needed from any remote system of any kind in the local network (or elsewhere in many cases). RMTCMD does make things easy, though. Tom
    125,585 pointsBadges:
  • jinteik
    If it is a normal user they dont need job control (especially in production). if you give them job control and they have cmd line, they can practically do what they want by controlling everyone's job
    18,995 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: