Start and stop jobs without creating security holes

We recently upgraded an application package on our iSeries that requires significantly more authority to stop and start the subsystem and jobs than it previously required. Currently only QSECOFR can stop and start the processes. How can I allow my programming team to be able to stop and start the processes without creating security holes? Previously the processes ran under a specific user profile that was invoked by a CLP whenever the startup program was called. We had to add special authorities to that profile and now no one can start the software except QSECOFR. I tried granting my user profile *USE authority to the common user profile that runs the software and that did not work. Any ideas before I call the software vendor?

First of all, I encourage you to contact the vendor regardless of whether this tip helps you or not. Unless all of us let vendors know that their security implementation is unacceptable, they are going to continue to foist these problems upon us. Until you can get an acceptable scheme from the vendor, you might try creating a program that is owned by a profile with sufficient authority to stop/start the processes. Have the program adopt (change the user profile parameter to user profile (*OWNER)) authority. Then the sole purpose of this program is to start/stop the processes. You could have two different programs - one for each process - if you need different people to perform the start from those who perform the stop.

==================================
MORE INFORMATION ON THIS TOPIC
==================================

The Best Web Links: Tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Read this Search400 Featured Topic: Secure your iSeries


This was first published in August 2002

Back to top