The Add Authorization List Entry (ADDAUTLE) command allows the user to add entries to an authorization list. An entry consists of a user's name and the authorities associated with that user on the authorization list. Both the authorization list and the user profile must exist. If the specified user is already on the list, a message is issued and the user's authorities on the list are not changed.
The users who can use this command to add users to an authorization list are: the owner of the authorization list, a user with authorization list management (*AUTLMGT) authority on the authorization list, or a user with all object (*ALLOBJ) special authority.
When the ADDAUTLE command is used to add a user to an authorization list, the user must specify the name of the authorization list, a list of authorized users, and a list of authorities specified for the list. Each user on the list is given the authorities specified on the command.
Restrictions:
- Authorization list management (*AUTLMGT) authority allows a user to manage the authorization list and, therefore, to manage the authorities for all objects secured by the list.
- Only the owner of the list or a user with all object (*ALLOBJ) special authority can add a user with authorization list management (*AUTLMGT) authority.
- A user with *AUTLMGT authority can add users and give specific authorities only to the *AUTLMGT level.
Authorization list (AUTL)
Specifies the authorization list to which the users are to be added. The authorization list must already exist.
This is a required parameter.
- generic-name
- Specify the generic name of the authorization lists to be changed.
A generic name is a character string of one or more characters followed by an asterisk (*); for example ABC*. The asterisk substitutes for any valid characters. A generic name specifies all objects with names that begin with the generic prefix for which the user has authority. If an asterisk is not included with the generic (prefix) name, the system assumes it to be the complete object name.
- name
- Specify the name of the authorization list to which the user profile name is added.
User (USER)
Specifies one or more users to be added to the authorization list. Up to 50 user profile names can be specified. If a user profile name is already on the authorization list, a message is issued and the user's authorities are not changed.
This is a required parameter.
- name
- Specify the name of the user profile to be added to the authorization list.
Authority (AUT)
Specifies the authority to be given to the users specified for the User (USER) parameter. Users must have *AUTLMGT authority to manage the authorization list.
Single values
- *EXCLUDE
- The user cannot access the object.
Other values (up to 11 repetitions)
- *CHANGE
- The user can perform all operations on the object except those limited to the owner or controlled by object existence (*OBJEXIST) and object management (*OBJMGT) authorities. The user can change and perform basic functions on the object. *CHANGE authority provides object operational (*OBJOPR) authority and all data authority. If the object is an authorization list, the user cannot add, change, or remove users.
- *ALL
- The user can perform all operations except those limited to the owner or controlled by authorization list management (*AUTLMGT) authority. The user can control the object's existence, specify the security for the object, change the object, and perform basic functions on the object. The user also can change ownership of the object.
- *USE
- The user can perform basic operations on the object, such as running a program or reading a file. The user cannot change the object. Use (*USE) authority provides object operational (*OBJOPR), read (*READ), and execute (*EXECUTE) authorities.
- *AUTLMGT
- Authorization list management authority provides the authority to add users to the authorization list, to change users' authorities on the authorization list, to remove user names from the authorization list, or to remove users from the authorization list, to rename an authorization list, or to create a duplicate authorization list.
- *OBJALTER
- Object alter authority provides the authority needed to alter the attributes of an object. If the user has this authority on a database file, the user can add and remove triggers, add and remove referential and unique constraints, and change the attributes of the database file. If the user has this authority on an SQL package, the user can change the attributes of the SQL package. This authority is currently only used for database files and SQL packages.
- *OBJEXIST
- Object existence authority provides the authority to control the object's existence and ownership. These authorities are necessary for users who want to delete an object, free storage for an object, perform save and restore operations for an object, or transfer ownership of an object. A user with special save system (*SAVSYS) authority does not need existence authority to save or restore objects. Object existence authority is required to create an object that has an existing authority holder.
- *OBJMGT
- Object management authority provides the authority to The security for the object, move or rename the object, and add members to database files.
- *OBJOPR
- Object operational authority provides authority to look at the description of an object and to use the object as determined by the user's data authority to the object.
- *OBJREF
- Object reference authority provides the authority needed to reference an object from another object such that operations on that object may be restricted by the other object. If the user has this authority on a physical file, the user can add referential constraints in which the physical file is the parent. This authority is currently only used for database files.
Data authorities
- *ADD
- Add authority provides the authority to add entries to an object (for example, job entries to an queue or records to a file).
- *DLT
- Delete authority allows the user to remove entries from an object (for example, remove messages from a message queue or records from a file.)
- *EXECUTE
- Execute authority provides the authority needed to run a program or locate an object in a library or directory.
- *READ
- Read authority provides the authority needed to show the contents of an object.
- *UPD
- Update authority provides the authority to change the entries in an object.
ADDAUTLE AUTL(PAYROLL) USER(TOM) AUT(*ALL *AUTLMGT)
This command adds user TOM to the PAYROLL authorization list and gives him all authority to the objects secured by the authorization list. TOM also has authority to manage the authorization list.