How can I give the programmers access to view production (and in some cases development) job logs without giving them *ALLOBJ authority?
To allow operators or employees who are on-call and need to debug a job that's running under a profile that has *ALLOBJ, create a simple CL program.
Have that program be owned by a user with *ALLOBJ special authority and then set the user profile parameter of the compiled CL program to be *OWNER (in other words, have the program adopt authority.) This program will prompt the Display Job Log (DSPJOBLOG) command. Restrict this command to only users with the need to see this type of joblog. The user will need the job number, but will be able to view the joblog of the *ALLOBJ user.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
On AS/400, the journal type AF subtype K, shows that a user profile lacks the special authority required by the function attempting to run. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.