Q
Problem solve Get help with specific problems with your technologies, process and projects.

See the users with *change or *all authority

Is there a way to see the users with "change" or "all authority" on objects in a library? The library has 200 objects and we think users have been given unauthorized access.
You can examine and change each object's authority using the EDTOBJAUT command:

For example:

   EDTOBJAUT OBJ(ADOPTION) OBJTYPE(*QRYDFN)
 
    ...would product the following display:
 
                            Edit Object Authority                          
                                                                           
Object . . . . . . . :   ADOPTION        Owner  . . . . . . . :   QSECOFR  
  Library  . . . . . :     KENNETH       Primary group  . . . :   *NONE    
Object type  . . . . :   *QRYDFN         ASP device . . . . . :   *SYSBAS  
                                                                           
Type changes to current authorities, press Enter.                          
                                                                           
  Object secured by authorization list  . . . . . . . . . . . .   *NONE    
                                                                           
                           Object     -----Object------   ------Data-------
User         Group        Authority   O   M   E   A   R   R   A   U   D   E
*GROUP       QSECOFR      *ALL        X   X   X   X   X   X   X   X   X   X
*PUBLIC                   *CHANGE     X                   X   X   X   X   X
                                                                
All authority details for the object is shown here. Use F1 for each field for a detailed explanation of what it means.

After you have reviewed all the objects in library LIBQRY and made any changes to restrict access then consider making a few changes to help you set authority to objects as they are created in this library and to easily maintain the authority access for all the objects in this library.

There is an attribute for a library object (*LIB) that determines what the *PUBLIC authority for a newly created object in that library will be.

To view this attribute use the DSPLIB command:

For example:

DSPLIB LIB(KENNETH)

  ...would product the following display:
 
 
                                        Display Library                            
                                                                           
 Library  . . . . . . :   KENNETH         Number of objects  . :   265     
 Type . . . . . . . . :   TEST            Library ASP number . :   3       
 Create authority . . :   KENNETH         Library ASP device . :   *SYSBAS
 
 
The "Create Authority" attribute defines authority as outlined in this IBM Help Text:

For an object created into this library, this is the default public authority given to users who do not have specific authority to the object, who are not on the authorization list, and whose user group has no specific authority to the object.

The valid values are:

                                          
                                                                        
*SYSVAL                                                                 
    The default public authority for an object when it created in       
    this library is determined by the value specified by the QCRTAUT    
    system value.                                                       
                                                                        
*CHANGE   

The default public authority for objects created in this library is *CHANGE. The user can perform all operations on the object except those limited to the owner or controlled by object existence authority and object management authority.

*ALL

The default public authority for objects created in this library is *ALL. The user can perform all operations on the object except those limited to the owner or controlled by authorization list management authority.

*USE

The default public authority for objects created in this library is *USE. The user can perform basic operations on the object, such as run a program or read a file.

*EXCLUDE The default public authority for objects created in this library is *EXCLUDE. The user is prevented from accessing the object.

Authorization list name

The name of the authorization list that secures an object when it is created in this library. The default public authority is taken from the authorization list and the public authority for the object is specified as *AUTL.

This provides a great way to set *PUBLIC authority for newly created objects in a library.

In this example I've chosen to specify the name of an Authority List (*AUTL), KENNETH.

You create an authority list use the CRTAUTL command. To edit the list use the EDTAUTL command:

For example:

EDTAUTL AUTL(KENNETH)

...would product the following display:

                            Edit Authorization List                       
                                                                          
 Object . . . . . . . :   KENNETH         Owner  . . . . . . . :   QSECOFR
   Library  . . . . . :     QSYS          Primary group  . . . :   *NONE  
                                                                          
 Type changes to current authorities, press Enter.                        
                                                                          
               Object     List   -----Object------   ------Data-------    
 User         Authority   Mgt    O   M   E   A   R   R   A   U   D   E    
 QSECOFR      *ALL         X     X   X   X   X   X   X   X   X   X   X    
 KKH          *CHANGE            X                   X   X   X   X   X    
 *PUBLIC      *EXCLUDE                                                    
 

As you can see, any object associated with this authority list will have a *PUBLIC authority of *EXCLUDE, while users KKH and QSECOFR (or members of their groups if these are group profiles) will have *CHANGE and *ALL authority respectively.

What is wonderful about this is that by controlling all the authority setting for a group of objects using an authority list you only have to change this one list to change the access to *ALL of these objects!

To associate an object with an authority list modify the following field from the EDTOBJAUT display:

                            Edit Object Authority                          
                                                                           
Object . . . . . . . :   ADOPTION        Owner  . . . . . . . :   QSECOFR  
  Library  . . . . . :     KENNETH       Primary group  . . . :   *NONE    
Object type  . . . . :   *QRYDFN         ASP device . . . . . :   *SYSBAS  
                                                           

Type changes to current authorities, press Enter.xc

Object secured by authorization list . . . . . . . . . . . . *NONE

To use the authority set in the authority list for *PUBLIC authority, change the *PUBLIC entry from the EDTOBJAUT display as follows:

         Edit Object Authority                          
                                                                           
Object . . . . . . . :   ADOPTION        Owner  . . . . . . . :   QSECOFR  
  Library  . . . . . :     KENNETH       Primary group  . . . :   *NONE    
Object type  . . . . :   *QRYDFN         ASP device . . . . . :   *SYSBAS  
                                                                           
Type changes to current authorities, press Enter.                          
                                                                           
  Object secured by authorization list  . . . . . . . . . . . .   KENNETH    
                                                                           
                           Object     -----Object------   ------Data-------
User         Group        Authority   O   M   E   A   R   R   A   U   D   E
*GROUP       QSECOFR      *ALL        X   X   X   X   X   X   X   X   X   X
*PUBLIC                   *AUTL  
   

Whenever an object is created in this library specify authority as:
AUT('autl_name') or from a Save Query
screen, Authority . . . . . 'autl_name'

Sometime you may want to reset the authority for all the objects in a library so they reference an authority list. Here are the commands you would want to use in a program:

First: Remove all authority:

 
 
 
    RVKOBJAUT    OBJ(librqry/*ALL)
                 OBJTYPE(*ALL) 
                 USER(*ALL)      
                 AUT(*ALL) /* Revoke all private authority */

        GRTOBJAUT   OBJ(librqry/*ALL) 
                OBJTYPE(*ALL) 
                AUTL(*NONE) /* Remove all authority list references */

Second:

 
 
                   /* *********************************** */     
                   /* SET AUTHORITY FOR ALL OBJECTS IN    */     
                   /*  THE LIBRARY TO REFERENCE AN        */     
                   /*  AUTHORITY LIST                     */     
                   /* *********************************** */     
            
            GRTOBJAUT   OBJ(librqry/*ALL) 
                        OBJTYPE(*ALL)          
                        AUTL(CISPRDDTA)                         
                               
            GRTOBJAUT   OBJ(librqry/*ALL) 
                        OBJTYPE(*ALL)          
                        USER(*PUBLIC) 
                        AUT(*AUTL) 
                        REPLACE(*YES) 

Hopefully using these commands and securing your objects using an authority list will allow you to effectively control access to all the objects in your library!

This was last published in December 2004

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Close