Audit Question – *CHANGE access

70 pts.
AS/400 administration
AS/400 security
AS/400 user authority
I am auditing a client that has *PUBLIC (user) with *CHANGE (object authority) for QDFTJOBSCD object. We have been told by the client that this object allows a user to manage jobs. I would like to find what access does *CHANGE provide for users. Does this mean any user has access to modify jobs? Thank you in advance for any help.

Answer Wiki

Thanks. We'll let you know when a new response is added.


The job schedule object, QDFTJOBSCD contains the entries that are set up as schedule for jobs. Jobs can be scheduled by adding a job schedule entry to the job schedule object. You cannot create, delete, rename, or duplicate the job schedule object (QDFTJOBSCD), and you cannot move it to any other library.

The QDFTJOBSCD object is shipped by IBM with public authority of *Change. This is the minimum authority necessary to add, change, hold, release and remove job schedule entries.

Yes, It does mean user has authority to modify the job schedule entries.


It means they have authority to change job scheduler entries; however, they can only change entries that they’re authorized to.

For example, if I placed an entry on the scheduler on one of my systems, a normal user wouldn’t be able to change that entry just from *CHANGE authority to the scheduler. But if that user also had *JOBCTL special authority, then authority to my job entries are automatically available.

The *CHANGE authority alone would allow users to add their own entries to the scheduler (thereby “changing” the scheduler so that it included a new entry.) It doesn’t give authority to someone else’s entries without some additional element of authorization.


Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Toosunneo
    Thank you for the response. Just to clarify, is there a security risk that any user can modify jobs with *CHANGE access? Shouldn't the access be *USE instead of *CHANGE or is that too restrictive?
    70 pointsBadges:
  • Kevin Beaver
    It depends on your specific system and environment. The only true way to know is to look at what's housed and, in turn, how it can be exploited. Odds are slim that someone is going to exploit such a system at this level. I've yet to come across a database system that has anything other than the default out of the box configuration so make sure you've covered the basics first.
    27,525 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: