|
You can examine and change each object's authority using the EDTOBJAUT command:
For example:
EDTOBJAUT OBJ(ADOPTION) OBJTYPE(*QRYDFN)
...would product the following display:
Edit Object Authority
Object . . . . . . . : ADOPTION Owner . . . . . . . : QSECOFR
Library . . . . . : KENNETH Primary group . . . : *NONE
Object type . . . . : *QRYDFN ASP device . . . . . : *SYSBAS
Type changes to current authorities, press Enter.
Object secured by authorization list . . . . . . . . . . . . *NONE
Object -----Object------ ------Data-------
User Group Authority O M E A R R A U D E
*GROUP QSECOFR *ALL X X X X X X X X X X
*PUBLIC *CHANGE X X X X X X
All authority details for the object is shown here. Use F1 for each field for a detailed explanation of what it means.
After you have reviewed all the objects in library LIBQRY and made any changes to restrict access then consider making a few changes to help you set authority to objects as they are created in this library and to easily maintain the authority access for all the objects in this library.
There is an attribute for a library object (*LIB) that determines what the *PUBLIC authority for a newly created object in that library will be.
To view this attribute use the DSPLIB command:
For example:
DSPLIB LIB(KENNETH)
...would product the following display:
Display Library
Library . . . . . . : KENNETH Number of objects . : 265
Type . . . . . . . . : TEST Library ASP number . : 3
Create authority . . : KENNETH Library ASP device . : *SYSBAS
The "Create Authority" attribute defines authority as outlined in this IBM Help Text:
For an object created into this library, this is the default public
authority given to users who do not have specific authority to the
object, who are not on the authorization list, and whose user group
has no specific authority to the object.
The valid values are:
*SYSVAL
The default public authority for an object when it created in
this library is determined by the value specified by the QCRTAUT
system value.
*CHANGE
The default public authority for objects created in this library
is *CHANGE. The user can perform all operations on the object
except those limited to the owner or controlled by object
existence authority and object management authority.
*ALL
The default public authority for objects created in this library
is *ALL. The user can perform all operations on the object
except those limited to the owner or controlled by authorization
list management authority.
*USE
The default public authority for objects created in this library
is *USE. The user can perform basic operations on the object,
such as run a program or read a file.
*EXCLUDE
The default public authority for objects created in this library
is *EXCLUDE. The user is prevented from accessing the object.
Authorization list name
The name of the authorization list that secures an object when
it is created in this library. The default public authority is
taken from the authorization list and the public authority for
the object is specified as *AUTL.
This provides a great way to set *PUBLIC authority for newly created objects in a library.
In this example I've chosen to specify the name of an Authority List (*AUTL), KENNETH.
You create an authority list use the CRTAUTL command. To edit the list use the EDTAUTL command:
For example:
EDTAUTL AUTL(KENNETH)
...would product the following display:
Edit Authorization List
Object . . . . . . . : KENNETH Owner . . . . . . . : QSECOFR
Library . . . . . : QSYS Primary group . . . : *NONE
Type changes to current authorities, press Enter.
Object List -----Object------ ------Data-------
User Authority Mgt O M E A R R A U D E
QSECOFR *ALL X X X X X X X X X X X
KKH *CHANGE X X X X X X
*PUBLIC *EXCLUDE
As you can see, any object associated with this authority list will have a *PUBLIC authority of *EXCLUDE, while users KKH and QSECOFR (or members of their groups if these are group profiles) will have *CHANGE and *ALL authority respectively.
What is wonderful about this is that by controlling all the authority setting for a group of objects using an authority list you only have to change this one list to change the access to *ALL of these objects!
To associate an object with an authority list modify the following field from the EDTOBJAUT display:
Edit Object Authority
Object . . . . . . . : ADOPTION Owner . . . . . . . : QSECOFR
Library . . . . . : KENNETH Primary group . . . : *NONE
Object type . . . . : *QRYDFN ASP device . . . . . : *SYSBAS
Type changes to current authorities, press Enter.xc
Object secured by authorization list . . . . . . . . . . . . *NONE
To use the authority set in the authority list for *PUBLIC authority, change the *PUBLIC entry from the EDTOBJAUT display as follows:
Edit Object Authority
Object . . . . . . . : ADOPTION Owner . . . . . . . : QSECOFR
Library . . . . . : KENNETH Primary group . . . : *NONE
Object type . . . . : *QRYDFN ASP device . . . . . : *SYSBAS
Type changes to current authorities, press Enter.
Object secured by authorization list . . . . . . . . . . . . KENNETH
Object -----Object------ ------Data-------
User Group Authority O M E A R R A U D E
*GROUP QSECOFR *ALL X X X X X X X X X X
*PUBLIC *AUTL
Whenever an object is created in this library specify authority as:
AUT('autl_name') or from a Save Query
screen, Authority . . . . . 'autl_name'
Sometime you may want to reset the authority for all the objects in a library so they reference an authority list. Here are the commands you would want to use in a program:
First: Remove all authority:
RVKOBJAUT OBJ(librqry/*ALL)
OBJTYPE(*ALL)
USER(*ALL)
AUT(*ALL) /* Revoke all private authority */
GRTOBJAUT OBJ(librqry/*ALL)
OBJTYPE(*ALL)
AUTL(*NONE) /* Remove all authority list references */
Second:
/* *********************************** */
/* SET AUTHORITY FOR ALL OBJECTS IN */
/* THE LIBRARY TO REFERENCE AN */
/* AUTHORITY LIST */
/* *********************************** */
GRTOBJAUT OBJ(librqry/*ALL)
OBJTYPE(*ALL)
AUTL(CISPRDDTA)
GRTOBJAUT OBJ(librqry/*ALL)
OBJTYPE(*ALL)
USER(*PUBLIC)
AUT(*AUTL)
REPLACE(*YES)
Hopefully using these commands and securing your objects using an authority list will allow you to effectively control access to all the objects in your library!
|
