The Revoke Workstation Object Authority (RVKWSOAUT) command is used to take away authority for a workstation object used by the i5/OS Graphical Operations program. Specific or all authority can be taken away from one or more users named in the command. You also can take away the authority of an authorization list for the named object.

This command can be issued by a security officer, by an object owner, or by a user who has object management authority to the object for which authority is to be revoked. If a specific authority (other than *ALL) is specified on the AUT parameter, and that authority is not revoked, a message is issued that indicates the authority that is not revoked.

*** Security Risk ***

Revoking all authorities given specifically to a user for an object can result in the user having more authority than before the operation. If a user has *USE authority for an object and *CHANGE authority on the authorization list that secures the object, revoking *USE authority results in the user having *CHANGE authority to the object.

Restrictions:

• If you have object management (*OBJMGT) authority, you can revoke only the explicit authority that you have.
• You might not be able to grant or revoke authority for an object that has been allocated (locked) to another job. Authority cannot be revoked for an object that is currently in use.

Parameters

Keyword	Description	Choices	Notes
WSOTYPE	Workstation object type	Element list	Required, Positional 1
	Element 1:	*TPLWRKARA, *WRKARA, *TPLPRTOL, *PRTOL, *TPLPRTL, *PRTL, *TPLOUTQ, *TPLOUTQL, *OUTQL, *TPLJOBL, *JOBL, *TPLJOBQ, *TPLJOBLOG, *JOBLOG, *TPLJOBQL, *JOBQL, *TPLMSGL, *MSGL, *TPLMSGQ, *TPLMSGSND, *MSGSND, *TPLSGNUSL, *SGNUSL, *TPLOBJL, *OBJL, *TPLLIBSL, *LIBSL, *TPLLIB, *LAUNCH, *TPLLAUNCH, *PRSSET
USER	Users	Single values: *ALL, *PUBLIC Other values (up to 50 repetitions): Qualifier list	Optional, Positional 2
	Qualifier 1: Users	Name
AUT	Authority	Single values: *CHANGE, *ALL, *USE, *EXCLUDE, *AUTL Other values (up to 7 repetitions): *OBJEXIST, *OBJMGT, *OBJOPR, *ADD, *DLT, *READ, *UPD	Optional, Positional 3
AUTL	Authorization list	Name	Optional

Top

Workstation object type (WSOTYPE)

Specifies the workstation object for which specific authorities are to be revoked.

This is a required parameter.

*TPLWRKARA

The authorities to the work area template are revoked.

*WRKARA

The authorities to the work area objects are revoked.

*TPLPRTOL

The authorities to the printer output list template are revoked.

*PRTOL

The authorities to the printer output list objects are revoked.

*TPLPRTL

The authorities to the printer list template are revoked.

*PRTL

The authorities to the printer list objects are revoked.

*TPLOUTQ

The authorities to the output queue template are revoked.

*TPLOUTQL

The authorities to the output queue list template are revoked.

*OUTQL

The authorities to the output queue list objects are revoked.

*TPLJOBL

The authorities to the job list template are revoked.

*JOBL

The authorities to the job list objects are revoked.

*TPLJOBQ

The authorities to the job queue template are revoked.

*TPLJOBLOG

The authorities to the job log template are revoked.

*JOBLOG

The authorities to the job log objects are revoked.

*TPLJOBQL

The authorities to the job queue list template are revoked.

*JOBQL

The authorities to the job queue list objects are revoked.

*TPLMSGL

The authorities to the message list template are revoked.

*MSGL

The user authorities to the message list objects are revoked.

*TPLMSGQ

The authorities to the message queue template are revoked.

*TPLMSGSND

The authorities to the message sender template are revoked.

*MSGSND

The authorities to the message sender objects are revoked.

*TPLSGNUSL

The authorities to the signed-on user list template are revoked.

*SGNUSL

The authorities to the signed-on user list objects are revoked.

*TPLOBJL

The authorities to the object list template are revoked.

*OBJL

The authorities to the object list objects are revoked.

*TPLLIBSL

The authorities to the library list template are revoked.

*LIBSL

The user authorities to the library list objects are revoked.

*TPLLIB

The authorities to the library template are revoked.

*TPLLAUNCH

The authorities to the job submitter template are revoked.

*LAUNCH

The authorities to the job submitter objects are revoked.

*PRSSET

The authorities to the personal setting objects are revoked.

Users (USER)

Specifies one or more users whose specific authorities to the named object are to be revoked.

Authorities revoked by this command are related to those given by the Grant Workstation Object Authority (GRTWSOAUT) command. If users have public authority to an object because USER(*PUBLIC) was specified on the GRTWSOAUT command, that public authority is revoked when *PUBLIC is specified on this parameter. If users have specific authorities to an object because their names were specified on the GRTWSOAUT command, their names must be specified on this parameter to revoke the same authorities.

The authorities to be revoked are those specified for the Authority (AUT) parameter.

Note: Either this parameter or the AUTL parameter must be specified.

*ALL

The authorities specified on the AUT parameter are taken away from all enrolled users of the system except the owner, if they are publicly or explicitly authorized.

*PUBLIC

The specified authorities are taken away from users who do not have specific authority for the object, are not on the authorization list, and whose group has no authority. Any users who have specific authorities still keep their authorities to the object.

name

Specify the name of the user profile that is to have the specified authorities revoked. This parameter cannot be used to revoke public authority from specific users; only authorities that were specifically given to a user can be specifically revoked.

Authority (AUT)

Specifies the authority to be revoked from the users who do not have specific authority to the object, who are not on an authorization list, and whose user group does not have specific authority to the object.

Single values

*CHANGE

The user can perform all operations on the object except those limited to the owner or controlled by object existence (*OBJEXIST) and object management (*OBJMGT) authorities. The user can change and perform basic functions on the object. *CHANGE authority provides object operational (*OBJOPR) authority and all data authority. If the object is an authorization list, the user cannot add, change, or remove users.

*ALL

The user can perform all operations except those limited to the owner or controlled by authorization list management (*AUTLMGT) authority. The user can control the object's existence, specify the security for the object, change the object, and perform basic functions on the object. The user also can change ownership of the object.

*USE

The user can perform basic operations on the object, such as running a program or reading a file. The user cannot change the object. Use (*USE) authority provides object operational (*OBJOPR), read (*READ), and execute (*EXECUTE) authorities.

*EXCLUDE

The user cannot access the workstation object.

*AUTL

The public authority of the authorization list specified on the AUTL parameter is used for the public authority for the object.

Note: You can specify AUT(*AUTL) only when USER(*PUBLIC) is also specified.

Other values (up to 10 repetitions)

*OBJALTER

Object alter authority provides the authority needed to alter the attributes of an object. If the user has this authority on a database file, the user can add and remove triggers, add and remove referential and unique constraints, and change the attributes of the database file. If the user has this authority on an SQL package, the user can change the attributes of the SQL package. This authority is currently only used for database files and SQL packages.

*OBJMGT

Object management authority provides the authority to The security for the object, move or rename the object, and add members to database files.

*OBJEXIST

Object existence authority provides the authority to control the object's existence and ownership. If a user has special save system authority (*SAVSYS), object existence authority is not needed to perform save restore operations on the object.

*OBJOPR

Object operational authority provides authority to look at the description of an object and use the object as determined by the data authority that the user has to the object.

*OBJREF

Object reference authority provides the authority needed to reference an object from another object such that operations on that object may be restricted by the other object. If the user has this authority on a physical file, the user can add referential constraints in which the physical file is the parent. This authority is currently only used for database files.

Data authorities

*ADD

Add authority provides the authority to add entries to an object (for example, job entries to an queue or records to a file).

*DLT

Delete authority provides the authority to remove entries from an object.

*EXECUTE

Execute authority provides the authority needed to run a program or locate an object in a library.

*READ

Read authority provides the authority needed to get the contents of an entry in an object or to run a program.

*UPD

Update authority provides the authority to change the entries in an object.

Authorization list (AUTL)

Specifies the authorization list that is revoked from the object specified on the WSOTYPE parameter. If public authority for the object is *AUTL, it is changed to *EXCLUDE. The authorization list's authority is then removed.

Note: Either this parameter or the USER parameter must be specified. If this parameter is specified, the AUT parameter is ignored.

name

Specify the name of the authorization list.

Examples

RVKWSOAUT   WSOTYPE(*SGNUSL)  USER(HEANDERSON)  AUT(*DLT *UPD)

This command removes the delete and the update authorities for signed-on user list objects from the user profile name HEANDERSON.

Error messages

Unknown