The Change Authorization List Entry (CHGAUTLE) command changes the authorities for users on authorization lists. The authorities that the users have on the authorization list are replaced with the authorities specified on the command. The authorization list must already exist and the users must be on the list. If the user specified is not on the list, a message is issued.
The users who can use this command to change the authorization list are: the owner of the authorization list, a user with authorization list management (*AUTLMGT) authority on the list, or a user with all object (*ALLOBJ) special authority.
To change a user's authorities, you must specify the name of the authorization list, a list of users, and a list of authorities. All users specified in the list are given the same authorities. The authorities of each user on the list are changed to the authorities specified. Authority can be specified for all users who do not have specific authority, who are not on the authorization list, and whose groups have no authority, by specifying USER(*PUBLIC).
Restrictions:
- Only the owner of the list, or a user with all object (*ALLOBJ) special authority, can add a user with authorization list management (*AUTLMGT) authority.
- A user with *AUTLMGT authority can change a user's authority. They must also have the specific authority to be added or removed.
Authorization list (AUTL)
Specifies the authorization list for which users' authorities are to be changed. The authorization list must already exist.
This is a required parameter.
- generic-name
- Specify the generic name of the authorization lists to be changed.
A generic name is a character string of one or more characters followed by an asterisk (*); for example ABC*. The asterisk substitutes for any valid characters. A generic name specifies all objects with names that begin with the generic prefix for which the user has authority. If an asterisk is not included with the generic (prefix) name, the system assumes it to be the complete object name.
- name
- Specify the name of the authorization list to be changed.
User (USER)
Specifies one or more user profiles whose authorities on the authorization list are to be changed. If a user profile name is not on the authorization list, a message is issued.
This is a required parameter.
Single values
- *PUBLIC
- Authority is given to all users who have no specific authority, are not on the authorization list, and whose group profile does not have any authority.
Other values (up to 50 repetitions)
- name
- Specify the name of the profile whose authorities are to be changed. Up to 50 user profile names can be specified.
Authority (AUT)
Specifies the authority to be given to the users specified on the User (USER) parameter.
Single values
- *EXCLUDE
- The user cannot access the object.
Other values (up to 11 repetitions)
- *CHANGE
- The user can perform all operations on the object except those limited to the owner or controlled by object existence (*OBJEXIST) and object management (*OBJMGT) authorities. The user can change and perform basic functions on the object. *CHANGE authority provides object operational (*OBJOPR) authority and all data authority. If the object is an authorization list, the user cannot add, change, or remove users.
- *ALL
- The user can perform all operations except those limited to the owner or controlled by authorization list management (*AUTLMGT) authority. The user can control the object's existence, specify the security for the object, change the object, and perform basic functions on the object. The user also can change ownership of the object.
- *USE
- The user can perform basic operations on the object, such as running a program or reading a file. The user cannot change the object. Use (*USE) authority provides object operational (*OBJOPR), read (*READ), and execute (*EXECUTE) authorities.
- *AUTLMGT
- Authorization list management authority provides the authority to add users to the authorization list, to change users' authorities on the authorization list, to remove user names from the authorization list, or to remove users from the authorization list, to rename an authorization list, or to create a duplicate authorization list.
- *OBJALTER
- Object alter authority provides the authority needed to alter the attributes of an object. If the user has this authority on a database file, the user can add and remove triggers, add and remove referential and unique constraints, and change the attributes of the database file. If the user has this authority on an SQL package, the user can change the attributes of the SQL package. This authority is currently only used for database files and SQL packages.
- *OBJEXIST
- Object existence authority provides the authority to control the object's existence and ownership. These authorities are necessary for users who want to delete an object, free storage for an object, perform save and restore operations for an object, or transfer ownership of an object. A user with special save system (*SAVSYS) authority does not need existence authority to save or restore objects. Object existence authority is required to create an object that has an existing authority holder.
- *OBJMGT
- Object management authority provides the authority to The security for the object, move or rename the object, and add members to database files.
- *OBJOPR
- Object operational authority provides authority to look at the description of an object and to use the object as determined by the user's data authority to the object.
- *OBJREF
- Object reference authority provides the authority needed to reference an object from another object such that operations on that object may be restricted by the other object. If the user has this authority on a physical file, the user can add referential constraints in which the physical file is the parent. This authority is currently only used for database files.
Data authorities
- *ADD
- Add authority provides the authority to add entries to an object (for example, job entries to an queue or records to a file).
- *DLT
- Delete authority allows the user to remove entries from an object (for example, remove messages from a message queue or records from a file.)
- *EXECUTE
- Execute authority provides the authority needed to run a program or locate an object in a library or directory.
- *READ
- Read authority provides the authority needed to show the contents of an object.
- *UPD
- Update authority provides the authority to change the entries in an object.
CHGAUTLE AUTL(DEPT48X) USER(KARENG KARENS JEFF JULIE DARL)
AUT(*CHANGE)
This command changes the authority that users KARENG, KARENS, JEFF, JULIE, and DARL have on the authorization list to *CHANGE. *CHANGE gives the users object operational authority and all data authorities to the objects secured by the authorization list.