Problem solve Get help with specific problems with your technologies, process and projects.

Start and stop jobs without creating security holes

We recently upgraded an application package on our iSeries that requires significantly more authority to stop and start the subsystem and jobs than it previously required. Currently only QSECOFR can stop and start the processes. How can I allow my programming team to be able to stop and start the processes without creating security holes? Previously the processes ran under a specific user profile that was invoked by a CLP whenever the startup program was called. We had to add special authorities to that profile and now no one can start the software except QSECOFR. I tried granting my user profile *USE authority to the common user profile that runs the software and that did not work. Any ideas before I call the software vendor?

First of all, I encourage you to contact the vendor regardless of whether this tip helps you or not. Unless all of us let vendors know that their security implementation is unacceptable, they are going to continue to foist these problems upon us. Until you can get an acceptable scheme from the vendor, you might try creating a program that is owned by a profile with sufficient authority to stop/start the processes. Have the program adopt (change the user profile parameter to user profile (*OWNER)) authority. Then the sole purpose of this program is to start/stop the processes. You could have two different programs - one for each process - if you need different people to perform the start from those who perform the stop.


The Best Web Links: Tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Read this Search400 Featured Topic: Secure your iSeries

Dig Deeper on iSeries skills

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.