> If you give QPGMR *USE authority to the GAL profile,  then
> any user
> who belongs to the group QPGMR will also have authority to
> submit
> jobs "as" GAL...

True, and I like your adopted authority approach better
(though I would create a profile other than QSECOFR to
adopt).  But this reply begs the question, "Why would you
ever make QPGMR (or any other IBM profile) a group profile?"


There are just so many ways to assume QPGMR's identity, if
it is a group profile, or worse yet if it is a production
object owning profile, there are likely a number of ways
that people can compromise your system by acquiring QPGMR's
rights.

And the reverse is true as well, If there are a number of
people who belong to the QPGMR group, then these folks can
get into some of the internal IBM routines (Like QSTRUP, for
example) and mess things up in the OS.  Either way, I think
it's a bad idea to mix IBM profiles with your applications.

So, to give a more appropriate answer to the original
question, I would create a tiny CL program that performed
the two SBMJOB's, and compile that program to run under
GAL's authority.  Then give QPGMR just *USE authority to the
program.

That's secure, simple, and minimizes QPGMR's reach into your
application.

But that's JMHO,  :)

jte

--
John Earl | Chief Technology Officer
The PowerTech Group
19426 68th Ave. S
Seattle, WA 98032
(253) 872-7788 ext. 302
john.earl@xxxxxxxxxxxxxxxxxx
www.powertech.com 
 

 
This email message and any attachments are intended only for
the use of the intended recipients and may contain
information that is privileged and confidential. If you are
not the intended recipient, any dissemination, distribution,
or copying is strictly prohibited. If you received this
email message in error, please immediately notify the sender
by replying to this email message, or by telephone, and
delete the message from your email system.
--



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.