Why would a user not be authorized to use a file residing in a library that is in their library list and to which one of their user profile's supplemental groups is authorized?
The supplemental group is displayed on the explicit object authority as having *ALL object authority. It is a group, yet it appears under the User column on the screen. Is that correct? Another group displays as *GROUP under the User column and has the group name under the Group column. We are on V5R1.
First, let me explain a bit about what you see when you run the Display Object Authority (DSPOBJAUT) command. If you see *GROUP then that user is one of YOUR groups and that's the authority your group has to the object. Other groups may appear in the list, but if they are not denoted with *GROUP they are not one of your groups. To determine why the user was not authorized, I suggest that you look in the audit journal. (You must have *AUTFAIL specified in the QAUDLVL system value to see this entry.) If you run DSPJRN on the QAUDJRN, and look specifically for AF entries, you can see the specific user and specific object to which the user is not authorized. It is possible that a profile swap was performed, especially if you are running an application, therefore, it's possible that the "swapped to" user is the one that is not authorized, rather than the user that originally signed on. Or, the application has masked some of the errors and they are not accurately stating what object the user is not authorized to. Both the user and the object are in the audit journal entry.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
When error messages arise concerning attempts to use a permanent system object without authority, find the source of the issue by looking for an AF ... Continue Reading