This may not apply to you, but we just ran across this issue where a CL
program issues a CHGJOB command to change RUNPTY to 51. This CL never
had an issue until the program was allowed to be run by the user
community. Now it fails because our when our users run the job because
they do not have *JOBCTL authority.
On 2016-08-17 15:27, CRPence wrote:
On 16-Aug-2016 12:44 -0700, Rob Berendt wrote:
I ran these:[http://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_72/rzarl/rzarlsecaudje.htm]
CPYAUDJRNE ENTTYP(AF) JRNRCV(*CURCHAIN)
I am seeing numerous authority failures for CHGJOB.
Definitely a batch job. Actually it's a job submitted by a Domino
agent from another system. So, it's not an interactive thing in which
someone with limited capabilities is trying to interactively run
Library Object Object Program Program
name name type name library
*N CHGJOB *CMD QWTCHGJB QSYS
Job User Job
name name number
INV500S1 ORDINQ 136,491
Same job name, same job user, job number is never the same. Often
the increase is only 2 numbers.
_Security auditing journal entries_
"An attempt was made to perform an operation for which the user did not have the required special authority."
Object . . . . . . . : CHGJOBAgain, Special Authority, not private, public, adopt, et al.
Library . . . . . : QSYS
Object type . . . . : *CMD
Object secured by authorization list . . . . . . . . : *NONE
User Group Authority
So user ORDINQ would be part of *PUBLIC.
No joblog currently available.Probably not.
Does SBMJOB implicitly run CHGJOB? Even so, why the authority
cmd='SBMJOB CMD(CALL PGM(INV500S1) PARM(''B''))'That appears to be data from the job that made the request to start [aka submit] the job in which the T-AF eventually was logged, not from the job for which the T-AF was logged.?
+ ' JOB(INV500S1) JOBQ(INV500S1)';
I can't see anything else here which indicates a CHGJOBUser ORDINQ is lacking the necessary Special Authorities (SPCAUT) for which [some of] the specified parameters require the *JOBCTL special authority; i.e. for which the msg CPF1337 "&3/&2/&1 not authorized to change parameters." is expected for the failing request. You will want to find the error for the improper Change Job (CHGJOB) request, i.e. obtain and review a joblog [or trace] for the job from which that T-AF was logged.
IBM i 7.3