Like a group profile, an authorization list allows you to group objects with similar security requirements and associate the group with a list of users and user authorities.
Authorization lists provide an efficient way to manage the authority to similar objects on the system and aid in the recovery of security information.
Providing each user with explicit access to every object they need to work with might create a great deal of duplicated effort, because many users need to access the same group of objects. A much easier way to provide this access is to create authorization lists. Authorization lists consist of a list of users or groups, the type of authority (*USE, *CHANGE, and *EXCLUDE) for each user or group, and a list of objects to which that this list provides access.
For example, you can create an authorization list to contain a list of objects related to an inventory database. A user responsible for ordering new inventory items can be granted authority to see the contents of the database objects. Additionally, a user group in shipping and receiving needs to update this database as parts come in and out of stock. This group can have authority to change the contents of the objects.
From a security management view, an authorization list is the preferred method to manage objects that have the same security requirements. Even when there are only a few objects that would be secured by the list, there is still an advantage to using an authorization list instead of using private authorities on the object. Because the authorities are in one place (the authorization list), it is easier to change who is authorized to the objects. It is also easier to secure any new objects with the same security level authorities as the existing objects.
If you use authorization lists, you should not have private authorities on the object. Two searches of the user's private authorities are required during the authority checking if the object has private authorities and the object is also secured by an authorization list. The first search is for the private authorities on the object; the second search is for the private authorities on the authorization list. Two searches require additional system resources; therefore, system performance can be impacted. If you use only the authorization list, only one search is performed. Also, because of the use of authority caching with the authorization list, the performance for the authority check will be the same as it is for checking only private authorities on the object.
Group profiles are used to simplify managing user profiles that have similar security requirements. Authorization lists are used to secure objects with similar security requirements. The following table shows the characteristics of the two methods.
Usage considerations | Authorization List | Group Profile |
---|---|---|
Can use to secure multiple objects | Yes | Yes |
User can belong to more than one | Yes | Yes |
Private authority overrides other authority | Yes | Yes |
User must be assigned authority independently | Yes | No |
Authorities specified are the same for all objects | Yes | No |
Object can be secured by more than one | No | Yes |
Authority can be specified when the object is created | Yes | Yes |
Can secure all object types | No | Yes |
Association with object is deleted when object is deleted | Yes | No |
Association with object is saved when the object is saved | Yes | No |
You can find more detailed information about authorization lists in "Comparison of group profiles and authorization lists" in the iSeries™ Security Reference.