System-defined authorities

This table shows how system-defined authorities apply to securing files, programs, and libraries.

Use this information to plan system-defined authorities. To design simple resource security, try to plan security for entire libraries. The table shows how system-defined authorities apply to securing files, programs, and libraries:

Table 1. System-defined authorities
  *USE authority *CHANGE authority *ALL authority *EXCLUDE1 authority
Operations allowed for files View information in the file. View, change, and delete records in the file. Create and delete the file. Add, change, and delete records in the file. Authorize others to use the file. None.
Operations not allowed for files Change or delete any information in the file. Delete the file. Delete or clear the entire file. None. Any access to the file.
Operations allowed for programs Run the program. Change the description of the program. Create, change, and delete the program. Authorize others to use the program. None.
Operations not allowed for programs Change or delete the program. Change or delete the program. Change the owner of the program, if the program adopts authority. Any access to the program.
Operations allowed for libraries
  • For objects in the library, any operation allowed by the authority to the specific object.
  • For the library, view descriptive information.
  • For objects in the library, any operation allowed by the authority to the specific object.
  • Add new objects to the library.
  • Change the library description.
  • Everything allowed with change authority.
  • Delete the library.
  • Authorize others to the library.
 None.
Operations not allowed for libraries
  • Add new objects to the library.
  • Change the library description.
  • Delete the library.
 Delete the library. None. Any access to the library.
1
*EXCLUDE overrides any authorities that you grant to the public or through a group profile.

Understanding how object authority and library authority work together

You also need to understand how library and object authority work together. The table below gives examples of authorities that are required for both an object and the library:

Table 2. How library authority and object authority work together
Object type Operations Object authority needed Library authority needed
File Change data *CHANGE *EXECUTE
File Delete the file *OBJOPR, *OBJEXIST *EXECUTE
File Create the file None. *EXECUTE, *ADD
Program Run the program *USE *EXECUTE, *OBJOPR
Program Recompile the program *OBJEXIST, *OBJMGR, *READ *ADD, *READ
Program Delete the program *OBJEXIST *EXECUTE

Now you are ready to set up specific authorities for objects, directories, and libraries. For more information on the types of authorities available and some examples of how the authorities are used, see "Chapter 1. Resource Security" and "Appendix D. Authority Required for Objects Used by Commands" in the iSeries™ Security Reference.

Parent topic: Types of authority
Related concepts
Set up specific authority for objects and libraries