Problem solve Get help with specific problems with your technologies, process and projects.

Identifying users' system authority

How do users get the authority to run certain commands? How do you identify those users? System i security expert Carol Woodbury has the answers.

How is authorization given to users to execute the sensitive commands listed below, and how do I identify users who have that capability?
  • Change Database File (using DFU) CHGUSRPRF
  • Change User Profile CRTAUTL
  • Create Authorization List CRTUSRPRF
  • Create User Profile EDTAUTL
  • Edit Authorization List STRDFU
  • Start DFU UPDDTA
  • Update Data (Using DFU)
Users will have permission to run commands based on their authority to the command. They or their group can be given an individual or private authority to the command. Or they may have sufficient authority to run the command based on the *PUBLIC authority to the command. *PUBLIC authority is the default access that everyone has to the command if they haven't been given a private authority. Permissions to commands can be granted by running the Edit Object Authority (EDTOBJAUT), Grant Object Authority (GRTOBJAUT), Work with Authority (WRKAUT) or Change Authority (CHGAUT) command. To find out the permissions on the commands listed, run the Display Object Authority command. For example, DSPOBJAUT CHGUSRPRF *CMD will display the users authorized to the Change User Profile command.

Dig Deeper on Systems Management Tools