Manage Learn to apply best practices and optimize your operations.

Why isn't the user authorized?

Why would a user not be authorized to use a file residing in a library that is in their library list and to which one of their user profile's supplemental groups is authorized?

The supplemental group is displayed on the explicit object authority as having *ALL object authority. It is a group, yet it appears under the User column on the screen. Is that correct? Another group displays as *GROUP under the User column and has the group name under the Group column. We are on V5R1.
First, let me explain a bit about what you see when you run the Display Object Authority (DSPOBJAUT) command. If you see *GROUP then that user is one of YOUR groups and that's the authority your group has to the object. Other groups may appear in the list, but if they are not denoted with *GROUP they are not one of your groups. To determine why the user was not authorized, I suggest that you look in the audit journal. (You must have *AUTFAIL specified in the QAUDLVL system value to see this entry.) If you run DSPJRN on the QAUDJRN, and look specifically for AF entries, you can see the specific user and specific object to which the user is not authorized. It is possible that a profile swap was performed, especially if you are running an application, therefore, it's possible that the "swapped to" user is the one that is not authorized, rather than the user that originally signed on. Or, the application has masked some of the errors and they are not accurately stating what object the user is not authorized to. Both the user and the object are in the audit journal entry.


The Best Web Links: tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Check out this Search400.com Featured Topic: Top ten security tips

Dig Deeper on iSeries system and application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.