Audit Question – *CHANGE access
I am auditing a client that has *PUBLIC (user) with *CHANGE (object authority) for QDFTJOBSCD object. We have been told by the client that this object allows a user to manage jobs. I would like to find what access does *CHANGE provide for users. Does this mean any user has access to modify jobs?
Thank you in advance for any help.
Software/Hardware used:
Software/Hardware used:
ASKED:
May 1, 2009 12:17 AM
UPDATED:
October 17, 2009 9:46 AM
Answer Wiki:
Hi,
The job schedule object, QDFTJOBSCD contains the entries that are set up as schedule for jobs. Jobs can be scheduled by adding a job schedule entry to the job schedule object. You cannot create, delete, rename, or duplicate the job schedule object (QDFTJOBSCD), and you cannot move it to any other library.
The QDFTJOBSCD object is shipped by IBM with public authority of *Change. This is the minimum authority necessary to add, change, hold, release and remove job schedule entries.
Yes, It does mean user has authority to modify the job schedule entries.
====================================================================
It means they have authority to change job scheduler entries; however, they can only change entries that they're authorized to.
For example, if I placed an entry on the scheduler on one of my systems, a normal user wouldn't be able to change that entry just from *CHANGE authority to the scheduler. But if that user also had *JOBCTL special authority, then authority to my job entries are automatically available.
The *CHANGE authority alone would allow users to add their own entries to the scheduler (thereby "changing" the scheduler so that it included a new entry.) It doesn't give authority to someone else's entries without some additional element of authorization.
Tom
To see all answers submitted to the Answer Wiki: View Answer History.
Thank you for the response. Just to clarify, is there a security risk that any user can modify jobs with *CHANGE access? Shouldn’t the access be *USE instead of *CHANGE or is that too restrictive?
It depends on your specific system and environment. The only true way to know is to look at what’s housed and, in turn, how it can be exploited. Odds are slim that someone is going to exploit such a system at this level. I’ve yet to come across a database system that has anything other than the default out of the box configuration so make sure you’ve covered the basics first.