My user profile is the same as my iSeries security profile. I'm concerned that when developers or support teams use the SBMJOB command they can put my profile or jobd -- that has more authority then their own profile -- in sbmjob user parameter. Is there way we can block this parameter, or can we force them to use their own user profile?
My first suggestion is to move to security level 40 or 50. To use a job description at 40 and above, the user must have *USE authority to the user profile named in the job description. My next suggestion is to examine the *PUBLIC authority of the user profiles on your system. Profiles with *PUBLIC authority *USE can be used by others when submitting a job, using the swap profile APIs, etc. It is very rare that profiles should be set to anything other than *EXCLUDE. There are some exceptions - some IBM-supplied user profiles have some *PUBLIC authority. All system-supplied user profiles are listed in the back of the security reference manual along with their *PUBLIC authorities so you can see that they're supposed to be. I wouldn't recommend that you change the *PUBLIC authority of those IBM profiles, but I would recommend that you examine and, perhaps, change the authority of user profiles you have created.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: Tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Read this Search400 Featured Topic: Secure your iSeries
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
The UPPWEI field corresponds to the password expiration interval field, and its values "0" and "-1" represent the *SYSVAL and *NOXMAX commands. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.