DSPJOB3 -- Display Job 3 - Allows Any Job

DSPJOB3 DISPLAY JOB 3 TAAJODC
The Display Job 3 command allows a user who has USE authority to the TAAJOBCTL authorization list to perform DSPJOB functions for a job that is not his own. This allows trusted individuals (such as programmers) to have DSPJOB capability as if they had JOBCTL special authority without directly specifying JOBCTL in their user profile. The JOBCTL special authority provides a lot of capability such as: - Display any job - Display spooled file data for any job, change the spooled file, delete the spooled file (except for spooled files in 'private output queues') - Change any job - End any job - Clear job queues - Clear output queues - Power down the system Because of this, some installations want to minimize the use of JOBCTL special authority, but still have a need to allow some users to display jobs that are not their own. DSPJOB3 provides this capability by allowing trusted users to be authorized to the TAAJOBCTL authorization list. DSPJOB3 supports the same parameters as the system DSPJOB command. A typical command would be: DSPJOB3 JOB(xxx) Assuming the user was authorized, the TAA DSPJOB3 menu would appear which has the same options as the system DSPJOB menu. The DSPJOB3 command is authorized for PUBLIC(USE). This allows any user to use the command, but the following rules exist: ** If a user has no authority to the TAAJOBCTL authorization list and does not have JOBCTL special authority, the user can only operate on his own jobs (TAA9894 is sent as an escape message if the user is not the owner of the job). * If a user has USE authority to the TAAJOBCTL authorization list or has JOBCTL special authority, the user can display a job which is not his own (it is also possible to adopt authority to JOBCTL in a program that runs the DSPJOB3 command). Two restrictions exist when displaying a job other than your own (these are the same as supported by the system DSPJOB command): -- Spooled files which exist in a 'private output queue' can be listed, but the data cannot be displayed unless the user has SPLCTL special authority (it is not adopted). A 'private output queue' is created by the CRTOUTQ command OPRCTL(NO) function. -- The DSPJOB OPTION(JOBLOG) is prevented if the user running the command does not have ALLOBJ special authority and attempts to display a job of a user who has ALLOBJ special authority. Duplicate job handling ---------------------- If a fully qualified job name is not entered, there may be duplicate jobs for the same values entered (either Job or Job/User). DSPJOB3 supports the same DSPDUPJOB parameter as on DSPJOB. The default is SELECT to display a menu of the duplicates. This occurs by using the TAA DSPDUPJOB display and the user may select the job to be displayed. If DSPDUPJOB(MSG) is specified, the CPF1069 escape message (same ID used by DSPJOB) will be sent if duplicates exist. TAAJOBCTL Authorization List ---------------------------- The TAAJOBCTL authorization list allows certain TAA Tools to function as if the user was directly authorized to JOBCTL special authority. By authorizing a user to USE authority to the Authorization List, you enable the user to do a few other functions which are similar to DSPJOB3. The EXCJOBCTL command is under control of the TAAJOBCTL authorization list. The EXCJOBCTL command allows a user to run some standard TAA functions such as CVTWRKUSR which creates an outfile of job information. The Security Officer may also specify what other commands may be run under JOBCTL special authority. See the discussion with the EXCJOBCTL tool. TAAJOBCTL Special profile ------------------------- The owner of the DSPJOB3 processing program (TAAJODCC) is TAAJOBCTL. This special profile is created when installing the TAA Productivity Tools and has the special authority JOBCTL. No other special authorities exist. The profile is created with PASSWORD(NONE) so it may not be signed onto. The processing program (TAAJODCC) adopts the owners authority (TAAJOBCTL) during the running of the program. Checking for authorization is done using a program that 'unadopts'. The purpose of using the TAAJOBCTL user profile (rather than QSECOFR who owns other TAATOOL objects) is to prevent the adoption of SPLCTL. SPLCTL special authority allows access to any spooled file including those in 'private output queues'. Unless the user of the DSPJOB3 command is the same as the user of the job (or the the user of the command has the SPLCTL special authority), spooled files in 'private output queues' cannot be displayed with DSPJOB3. When the TAA Productivity Tools are installed, the TAAJOBCTL user profile and DSPJOB3 program are set to allow correct processing. During the execution of the DSPJOB3 program, the program owner and user profile are checked to ensure that: The DSPJOB3 program is owned by TAAJOBCTL. The TAAJOBCTL user profile has the special authority JOBCTL and no other special authorities. DSPJOB3 escape messages you can monitor for -------------------------------------------- CPF1069 If duplicate jobs exist and DSPDUPJOB(MSG) CPF1070 The job could not be found TAA9894 Not authorized to another users job - User is not authorized to TAAJOBCTL AUTL Escape messages from based on functions will be re-sent. Command parameters CMD ------------------ JOB The qualified name of the job to be displayed. * is the default meaning the current job. The user must be authorized to display the job either because 1) it is his own, 2) he has JOBCTL special authority, or 3) he is authorized to the TAAJOBCTL authorization list. The same restrictions relative to OPTION(SPLF) and OPTION(JOBLOG) as exist for the system DSPJOB command also exist for DSPJOB3. See the previous discussion. OUTPUT How to output the results. is the default which means to display the results if the command is run interactively. If the command is run in batch or PRINT is specified, the results are printed by DSPJOB. OPTION The name of the special value whose information is displayed. The choices are the same as appear on the DSPJOB command. Use the ? function in the parameter for the complete list. DUPJOBOPT The action to perform if duplicate jobs exist for the same values entered (such as duplicate jobs for a job name or a job/user name). The default is SELECT which causes the TAA DSPDUPJOB menu to appear so an individual job may be selected. MSG may be specified to cause the CPF1069 escape message. Restrictions ------------ See the previous comments about authorization. Prerequisites ------------- The following TAA Tools must be on your system: CHKJOBCTL Check job control DSPDUPJOB Display duplicate job RTVJOBSTS Retrieve job status SNDCOMPMSG Send completion message SNDESCMSG Send escape message Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- DSPJOB3 CMD TAAJODC QATTCMD TAAJODCC PGM CLP TAAJODCC QATTCL TAAJODCD FILE DSPF TAAJODCD QATTDDS Note that the TAAJODCC program is owned by the TAAJOBCTL user profile and adopts the owners authority.

DSPJOB3         DISPLAY JOB 3                          TAAJODC


The Display Job 3 command  allows a user who has *USE  authority to the
TAAJOBCTL  authorization list  to perform  DSPJOB  functions for  a job
that  is  not  his  own.   This  allows  trusted  individuals  (such as
programmers) to have DSPJOB  capability as if they had  *JOBCTL special
authority without  directly specifying  *JOBCTL in their  user profile.

The *JOBCTL special authority provides a lot of capability such as:

          - Display any job
          - Display spooled file data for any job, change the
                spooled file, delete the spooled file (except
                for spooled files in 'private output queues')
          - Change any job
          - End any job
          - Clear job queues
          - Clear output queues
          - Power down the system

Because  of  this,  some  installations want  to  minimize  the  use of
*JOBCTL special authority, but  still have a  need to allow some  users
to  display  jobs that  are  not  their  own.   DSPJOB3  provides  this
capability  by   allowing  trusted  users  to   be  authorized  to  the
TAAJOBCTL authorization list.

DSPJOB3 supports the same parameters as  the system DSPJOB command.   A
typical command would be:

             DSPJOB3       JOB(xxx)

Assuming the  user was authorized,  the TAA  DSPJOB3 menu would  appear
which has the same options as the system DSPJOB menu.

The DSPJOB3  command is authorized  for PUBLIC(*USE).   This allows any
user to use the command, but the following rules exist:

  **   If  a user has no authority  to the TAAJOBCTL authorization list
       and does not have  *JOBCTL special authority, the user  can only
       operate on  his own jobs (TAA9894  is sent as an  escape message
       if the user is not the owner of the job).

  **   If  a user  has  *USE authority  to the  TAAJOBCTL authorization
       list or has  *JOBCTL special authority, the  user can display  a
       job  which  is  not  his  own (it  is  also  possible  to  adopt
       authority  to  *JOBCTL  in  a  program  that  runs  the  DSPJOB3
       command).

       Two restrictions exist  when displaying  a job  other than  your
       own  (these are  the  same as  supported  by the  system  DSPJOB
       command):

         --   Spooled  files which  exist in  a 'private  output queue'
              can  be listed, but  the data cannot  be displayed unless
              the  user  has  *SPLCTL  special  authority  (it  is  not
              adopted).   A 'private  output queue'  is created  by the
              CRTOUTQ command OPRCTL(*NO) function.

         --   The  DSPJOB  OPTION(*JOBLOG)  is  prevented  if  the user
              running  the  command  does  not  have  *ALLOBJ   special
              authority and  attempts to  display a job  of a  user who
              has *ALLOBJ special authority.

Duplicate job handling
----------------------

If  a fully qualified job  name is not entered,  there may be duplicate
jobs for the same values entered (either Job or Job/User).

DSPJOB3 supports  the  same DSPDUPJOB  parameter  as on  DSPJOB.    The
default is *SELECT  to display a menu  of the duplicates.   This occurs
by using the  TAA DSPDUPJOB display and the user  may select the job to
be displayed.

If  DSPDUPJOB(*MSG) is specified,  the CPF1069 escape  message (same ID
used by DSPJOB) will be sent if duplicates exist.

TAAJOBCTL Authorization List
----------------------------

The TAAJOBCTL authorization list  allows certain TAA Tools  to function
as if  the user was  directly authorized to *JOBCTL  special authority.

By  authorizing a  user to  *USE authority  to the  Authorization List,
you enable the user  to do a few other  functions which are similar  to
DSPJOB3.

The EXCJOBCTL command  is under control of  the TAAJOBCTL authorization
list.   The EXCJOBCTL  command allows a  user to run  some standard TAA
functions  such  as   CVTWRKUSR  which  creates   an  outfile  of   job
information.    The  Security  Officer  may  also  specify  what  other
commands  may  be  run  under  *JOBCTL  special  authority.    See  the
discussion with the EXCJOBCTL tool.

TAAJOBCTL Special profile
-------------------------

The  owner of the  DSPJOB3 processing program  (TAAJODCC) is TAAJOBCTL.
This special profile  is created when  installing the TAA  Productivity
Tools  and  has  the  special  authority *JOBCTL.    No  other  special
authorities  exist.  The profile is  created with PASSWORD(*NONE) so it
may not be signed onto.

The  processing  program   (TAAJODCC)  adopts   the  owners   authority
(TAAJOBCTL) during the running of the program.

Checking for authorization is done using a program that 'unadopts'.

The purpose  of using the TAAJOBCTL  user profile (rather  than QSECOFR
who  owns  other  TAATOOL  objects)  is  to  prevent  the  adoption  of
*SPLCTL.  *SPLCTL special authority  allows access to any spooled  file
including those  in 'private output  queues'.  Unless  the user of  the
DSPJOB3 command  is the same  as the user of  the job (or  the the user
of  the command  has the *SPLCTL  special authority),  spooled files in
'private output queues' cannot be displayed with DSPJOB3.

When the  TAA  Productivity Tools  are  installed, the  TAAJOBCTL  user
profile  and  DSPJOB3 program  are  set  to  allow correct  processing.
During  the execution  of the  DSPJOB3 program,  the program  owner and
user profile are checked to ensure that:

  **   The DSPJOB3 program is owned by TAAJOBCTL.

  **   The TAAJOBCTL  user profile  has the  special authority  *JOBCTL
       and no other special authorities.

DSPJOB3 escape messages you can monitor for
--------------------------------------------

      CPF1069    If duplicate jobs exist and DSPDUPJOB(*MSG)
      CPF1070    The job could not be found
      TAA9894    Not authorized to another users job
                    - User is not authorized to TAAJOBCTL *AUTL

Escape messages from based on functions will be re-sent.

Command parameters                                    *CMD
------------------

   JOB           The qualified name  of the job to be displayed.   * is
                 the default meaning the current job.

                 The  user  must  be  authorized  to  display  the  job
                 either because 1)  it is  his own, 2)  he has  *JOBCTL
                 special  authority, or  3)  he  is authorized  to  the
                 TAAJOBCTL authorization list.

                 The  same restrictions  relative to  OPTION(*SPLF) and
                 OPTION(*JOBLOG)   as  exist  for   the  system  DSPJOB
                 command also  exist  for DSPJOB3.   See  the  previous
                 discussion.

   OUTPUT        How to  output the  results.  *  is the  default which
                 means  to display  the results  if the command  is run
                 interactively.

                 If  the  command  is  run   in  batch  or  *PRINT   is
                 specified, the results are printed by DSPJOB.

   OPTION        The name  of the  special value  whose information  is
                 displayed.   The  choices are  the  same as  appear on
                 the DSPJOB  command.   Use  the  ?   function  in  the
                 parameter for the complete list.

   DUPJOBOPT     The  action to  perform if  duplicate  jobs exist  for
                 the  same values entered  (such as duplicate  jobs for
                 a  job  name  or a  job/user  name).   The  default is
                 *SELECT  which  causes  the  TAA  DSPDUPJOB   menu  to
                 appear so an individual job may be selected.

                 *MSG  may be  specified  to cause  the CPF1069  escape
                 message.

Restrictions
------------

See the previous comments about authorization.

Prerequisites
-------------

The following TAA Tools must be on your system:

     CHKJOBCTL       Check job control
     DSPDUPJOB       Display duplicate job
     RTVJOBSTS       Retrieve job status
     SNDCOMPMSG      Send completion message
     SNDESCMSG       Send escape message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   DSPJOB3       *CMD                   TAAJODC       QATTCMD
   TAAJODCC      *PGM       CLP         TAAJODCC      QATTCL
   TAAJODCD      *FILE      DSPF        TAAJODCD      QATTDDS

Note  that the TAAJODCC program is owned  by the TAAJOBCTL user profile
and adopts the owners authority.

Added to TAA Productivity tools June 15, 2001

Home Page

Up to Top