EXCJOBCTL -- Execute Job Control

EXCJOBCTL EXECUTE JOB CONTROL TAAJOCI
The Execute using JOBCTL command is intended for the situation where the user needs JOBCTL authority, but should not be permanently authorized. Specific TAA functions are supported and the Security Officer may authorize other commands. The user must be authorized to the TAAJOBCTL authorization list. A typical command would be: EXCJOBCTL CMD(CVTWRKUSR) + CMDSTRING('STATUS(ALL) OUTLIB(QTEMP)') The EXCJOBCTL command checks the CMD parameter for one of its supported commands. If the command is not supported, CPF9898 is sent as an escape message. If the command is supported, the command and command string are concatenated together and executed using QCMDEXC in a program that adopts the QSECOFR user profile (thus obtaining JOBCTL special authority). Supported commands ------------------ There are two types of supported commands: Implicitly supported commands. The following is provided by the TAA Productivity Tools: CVTWRKUSR Convert Work User Explicitly supported commands. You must enter the command name into the TAAJOBCTL data area in TAASECURE. It could be a system command, a TAA Productivity Tool command, or a user written command. As the Security Officer enter: EDTCONARR DTAARA(TAASECURE/EXCJOBCTL) An entry display will appear and you may enter up to 45 command names that may be executed using EXCJOBCTL. You must enter a specific library name such as QSYS (this is done for security reasons described later). An entry for the system DSPJOB command should appear as: DSPJOB QSYS However, when EXCJOBCTL runs, only the unqualified portion (the command name) is searched for in the data area. Security handling ----------------- Any implicitly supported TAATOOL commands are always executed with a qualified name (such as TAATOOL/CVTWRKUSR). Any commands entered in the EXCJOBCTL data area in TAASECURE are always qualified to the library specified in the data area. The intent of using a qualified command is to prevent misuse of the library list where the user may have his own version of a command name. Since the EXCJOBCTL program operates under the authority of QSECOFR, it is important that the specific intended function be executed and not a bogus version. Command parameters CMD ------------------ CMD The command name to be executed. Only the list of valid commands may be specified. See the previous discussion. The command must be on the library list. CMDSTRING The remainder of the command string (not including the command name) to be executed. Restrictions ------------ * The user must be authorized to the TAAJOBCTL authorization list. ** Only commands supported by EXCJOBCTL may be executed. Prerequisites ------------- The following TAA Tools must be on your system: CONARR Constant array RSNLSTMSG Resend last message SNDESCMSG Send escape message Implementation -------------- None, the tool is ready to use, but the user must be authorized to the TAAJOBCTL authorization list. To authorize a user, use EDTAUTL or specify: ADDAUTLE AUTL(TAAJOBCTL) USER(xxx) AUT(USE) If additional commands are required besides those supported by EXCJOBCTL, use the TAAJOBCTL data area in QSYS as described previously. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- EXCJOBCTL CMD TAAJOCI QATTCMD TAAJOCIC PGM CLP TAAJOCIC QATTCL TAAJOBCTL AUTL

EXCJOBCTL       EXECUTE JOB CONTROL                    TAAJOCI


The Execute using *JOBCTL  command is intended for the  situation where
the  user  needs  *JOBCTL  authority,  but  should not  be  permanently
authorized.    Specific TAA  functions are  supported and  the Security
Officer may authorize other commands.   The user must be  authorized to
the TAAJOBCTL authorization list.

A typical command would be:

             EXCJOBCTL   CMD(CVTWRKUSR) +
                           CMDSTRING('STATUS(*ALL) OUTLIB(QTEMP)')

The  EXCJOBCTL  command  checks  the  CMD  parameter  for  one  of  its
supported  commands.  If the command is  not supported, CPF9898 is sent
as an escape message.

If the  command  is  supported,  the command  and  command  string  are
concatenated  together and  executed using  QCMDEXC in  a program  that
adopts  the  QSECOFR  user  profile  (thus  obtaining  *JOBCTL  special
authority).

Supported commands
------------------

There are two types of supported commands:

  **   Implicitly supported  commands.   The following  is provided  by
       the TAA Productivity Tools:

                CVTWRKUSR      Convert Work User

  **   Explicitly  supported commands.    You  must enter  the  command
       name into the  TAAJOBCTL data area in TAASECURE.   It could be a
       system  command,  a TAA  Productivity  Tool command,  or  a user
       written command.  As the Security Officer enter:

                EDTCONARR      DTAARA(TAASECURE/EXCJOBCTL)

       An  entry display  will  appear  and  you  may enter  up  to  45
       command names that may be executed using EXCJOBCTL.

       You must  enter a  specific library name  such as QSYS  (this is
       done  for security reasons  described later).  An  entry for the
       system DSPJOB command should appear as:

                        DSPJOB           QSYS

       However, when  EXCJOBCTL  runs,  only  the  unqualified  portion
       (the command name) is searched for in the data area.

Security handling
-----------------

Any implicitly  supported TAATOOL commands  are always executed  with a
qualified  name (such as  TAATOOL/CVTWRKUSR).  Any  commands entered in
the EXCJOBCTL  data  area in  TAASECURE  are always  qualified  to  the
library specified in the data area.

The intent  of using a  qualified command is  to prevent misuse  of the
library  list where  the user  may have  his own  version of  a command
name.   Since  the EXCJOBCTL  program operates  under the  authority of
QSECOFR,  it is  important  that  the  specific  intended  function  be
executed and not a bogus version.

Command parameters                                    *CMD
------------------

   CMD           The command  name to  be executed.   Only the  list of
                 valid  commands may  be specified.   See  the previous
                 discussion.   The  command  must  be  on  the  library
                 list.

   CMDSTRING     The  remainder of  the command  string (not  including
                 the command name) to be executed.

Restrictions
------------

  **   The  user  must  be authorized  to  the  TAAJOBCTL authorization
       list.

  **   Only commands supported by EXCJOBCTL may be executed.

Prerequisites
-------------

The following TAA Tools must be on your system:

     CONARR          Constant array
     RSNLSTMSG       Resend last message
     SNDESCMSG       Send escape message

Implementation
--------------

None, the tool  is ready to  use, but  the user must  be authorized  to
the TAAJOBCTL  authorization list.   To authorize  a user, use  EDTAUTL
or specify:

      ADDAUTLE     AUTL(TAAJOBCTL) USER(xxx) AUT(*USE)

If  additional  commands   are  required  besides  those  supported  by
EXCJOBCTL,   use  the  TAAJOBCTL   data  area  in   QSYS  as  described
previously.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   EXCJOBCTL     *CMD                   TAAJOCI       QATTCMD
   TAAJOCIC      *PGM       CLP         TAAJOCIC      QATTCL
   TAAJOBCTL     *AUTL

Added to TAA Productivity tools October 1, 1997

Home Page

Up to Top