Manage Learn to apply best practices and optimize your operations.

User authority: How much is too much?

My 400 shop is at security level 30. I would like to change my operators profile to include *iosyscfg, *jobctl, *savsys, and *secadm. I want my operators to be able to look at joblogs. Shouldn't *jobctl give them this ability? I am still running into "not authorized to view" errors.

Users can see and work with spooled files based on how the output queue was created as well as whether they have *JOBCTL or *SPLCTL special authority. *SPLCTL is the equivalent of *ALLOBJ only for spooled files. They can work with all spooled files on the system -- not usually the scope most organizations want to give their operators. To understand how *JOBCTL works with the outq attributes, check out the iSeries Security Reference manual, Chapter 6 or my book Implementing AS/400 Security - Chapter 6. Both books have a table that explains the settings. Use the OS/400 command Print Queue Authority (PRTQAUT) command to list the outqs and their security attributes.

One last thing. Do you realize the power you are giving your Operators? If you do and it's the business decision that you are making, that's fine. Giving Operators *IOSYSCFG gives them the capability to configure all aspects of communications, including changing the configuration of TCP/IP servers, etc. Giving them *SECADM gives them the capability to create user profiles and then manage those profiles.

Dig Deeper on iSeries physical security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.