---

Return to the Systems Tips

---

QPJOBLOG security - prevent people from deleting their joblogs

Rob Berendt wrote:
>How can I prevent people from deleting their joblogs?

There has been a lot of good discussion on this topic, but there is one solution that has not been mentioned yet. You can use the Control Job Log Output (QMHCTLJL) API to cause the job log to be placed into physical files instead of being placed into a spooled file. Then by using object authority you can prevent users from even reading those physical files. Here is a sample CL program that uses this API to do just that.

PGM
DCL       VAR(&FILENAME) TYPE(*CHAR) LEN(65)
DCL       VAR(&FORMAT) TYPE(*CHAR) LEN(8) VALUE('CTLJ0100')
DCL       VAR(&MSG) TYPE(*CHAR) LEN(30)
DCL       VAR(&FILTER) TYPE(*CHAR) LEN(4) VALUE(X'00000000')
DCL       VAR(&MSGQ) TYPE(*CHAR) LEN(20) VALUE('*SYSOPR             ')
DCL       VAR(&ERROR) TYPE(*CHAR) LEN(256) VALUE(X'00000000')
DCL       VAR(&USR) TYPE(*CHAR) LEN(10)
DCL       VAR(&NBR) TYPE(*CHAR) LEN(6)
RTVJOBA   USER(&USR) NBR(&NBR)
CHGVAR    VAR(%BIN(&FILENAME 1 4)) VALUE(65)
CHGVAR    VAR(%SST(&FILENAME 5 10))  VALUE('P         ')
CHGVAR    VAR(%SST(&FILENAME 6 9)) VALUE(&USR)
CHGVAR    VAR(%SST(&FILENAME 15 10)) VALUE('JOBLOG    ')
CHGVAR    VAR(%SST(&FILENAME 25 10)) VALUE('JOB       ')
CHGVAR    VAR(%SST(&FILENAME 28 6)) VALUE(&NBR)
CHGVAR    VAR(%SST(&FILENAME 35 10)) VALUE('S         ')
CHGVAR    VAR(%SST(&FILENAME 36 9)) VALUE(&USR)
CHGVAR    VAR(%SST(&FILENAME 45 10)) VALUE('JOBLOG    ')
CHGVAR    VAR(%SST(&FILENAME 55 10)) VALUE(%SST(&FILENAME 25 10))
CHGVAR    VAR(%SST(&FILENAME 65 1)) VALUE('0')
CALL      PGM(QSYS/QMHCTLJL) PARM(&FILENAME &FORMAT &MSG &FILTER +
            &MSGQ &ERROR)
CHGOBJOWN OBJ(JOBLOG/%SST(&FILENAME 5 10)) OBJTYPE(*FILE) +
            NEWOWN(______) CUROWNAUT(*REVOKE)
RVKOBJAUT OBJ(JOBLOG/%SST(&FILENAME 5 10)) OBJTYPE(*FILE) +
            USER(*PUBLIC) AUT(*ALL)
CHGOBJOWN OBJ(JOBLOG/%SST(&FILENAME 35 10)) OBJTYPE(*FILE) +
            NEWOWN(______) CUROWNAUT(*REVOKE)
RVKOBJAUT OBJ(JOBLOG/%SST(&FILENAME 35 10)) OBJTYPE(*FILE) +
            USER(*PUBLIC) AUT(*ALL)
ENDPGM

Before using the program create library JOBLOG. Also change 'NEWOWN (______)' in the above source to change the physical files created into that library to be owned by the same user profile that will own the CL program. Then create the program while specifying USRPRF(*OWNER). Now, after the program is called in a job, if that job produces a job log that job log will be placed into two member of two physical files in the JOBLOG library. The names of the two physical files will be P and S followed by the first 9 characters of the user profile name.

One enhancement that is needed is to have the program send a message somewhere that includes the full job name and the names of the physical files and the member that will be used for the job log. This should help you determine which member to look at.

Ed Fishel,
edfishel@US.IBM.COM

[report a broken link by clicking here]

---