A performance issue that has security implications can happen when someone with the right user profile authorities abuses those and uses up excessive system resource in their own interest. That can happen, for example, when programmers boost the execution priority for their jobs at the expense of interactive processing. It can also happen when someone runs a batch job interactively, thereby bringing other interactive users to a crawl. When this occurs, it is clearly a security issue as the user(s) in question are abusing their system privileges.
Controlling the execution priority of a job is a function of the Job Priority. This is set by the Job Description that is used for the job. It can also be changed on the fly by someone with *JOBCTL special authority associated with their user profile. If you see that happening, you might want to remove *JOBCTL from their user profile. Also, restricting access to the CHGJOB command can help.
To restrict access to the CHGJOB command, run the following command on your system:
GRTOBJAUT OBJ(CHGJOB) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*EXCLUDE)
That will change the command so only authorized user profiles can use it. To add a user profile to those allowed access to this command, use the following command:
GRTOBJAUT OBJ(CHGJOB) OBJTYPE(*CMD) USER(MYUSRPRF) AUT(*USE)
That allows the profile MYUSRPRF to use that command while excluding all others. Of course, any user profile with All Object Authority (*ALLOBJ) will still have access, so that wrinkle also has to be allowed for.
Limiting access to command objects on your system is a good way to control who can do what. Another command that you should consider for similar treatment is the Change Shared Storage Pool (CHGSHRPOOL) command. That command can be used to control performance characteristics for jobs running on your system through the allocation of memory resources and processing time slices.
If you still have problems with performance issues preventing production from getting done efficiently, there may be a problem of users running batch jobs interactively. If your applications are running from OS/400 commands, you can change the commands so that they will not function when called in an interactive environment. You can do this using the Change Command (CHGCMD) command, setting the ALLOW parameter to remove the *INTERACT, *IPGM and *REXX options.
If you have specific questions about this topic, e-mail me at email@example.com. All e-mail messages will be answered.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.
This was first published in February 2006