Create Authority Holder (CRTAUTHLR)
The Create Authority Holder (CRTAUTHLR) command allows a user to create an authority holder to secure an object of type *FILE before it exists on the system. The file must be a program-described database file. When an object by the specified name is created, the authorities specified in the authority holder are linked to the newly created object.
The authority holder is associated with one specific object, object type, and library. This allows only users with the correct authority to access the object. The authority holder and associated object always have the same owner.
If the object has authorities associated with it, they are linked to the newly created authority holder. The owner of the object becomes the owner of the authority holder. Authority holders are located in library QSYS.
Restrictions:
- This command is shipped with public *EXCLUDE authority.
- The object type to be secured by the new authority holder is limited to *FILE. The file must be a program-described database file.
- The authority holder cannot be created for objects located in libraries QRCL, QRECOVERY, QSPL, QSPLxxxx, QSYS, or QTEMP.
- Authority holders can only secure files in the system auxiliary storage pool (ASP) or a basic user ASP.
Keyword |
Description |
Choices |
Notes |
OBJ |
Object |
Qualified object name |
Required, Positional 1 |
Qualifier 1: Object |
Name |
Qualifier 2: Library |
Name |
AUT |
Authority |
Name, *LIBCRTAUT, *CHANGE, *ALL, *USE, *EXCLUDE |
Optional |
Object (OBJ)
Specifies the database file that the authority holder secures when the object is created.
This is a required parameter.
Qualifier 1: Object
- name
- Specify the name to be given to the authority holder object.
Qualifier 2: Library
- name
- Specify the name of the library where the authority holder is created.
Authority (AUT)
Specifies the authority you are giving to users who do not have specific authority for the object, who are not on an authorization list, and whose group profile or supplemental group profiles do not have specific authority for the object.
- *LIBCRTAUT
- The system determines the authority for the object by using the value specified for the Create authority (CRTAUT) parameter on the Create Library command (CRTLIB) for the library containing the object to be created. If the value specified for the CRTAUT parameter is changed, the new value will not affect any existing objects.
- *CHANGE
- The user can perform all operations on the object except those limited to the owner or controlled by object existence (*OBJEXIST) and object management (*OBJMGT) authorities. The user can change and perform basic functions on the object. *CHANGE authority provides object operational (*OBJOPR) authority and all data authority. If the object is an authorization list, the user cannot add, change, or remove users.
- *ALL
- The user can perform all operations except those limited to the owner or controlled by authorization list management (*AUTLMGT) authority. The user can control the object's existence, specify the security for the object, change the object, and perform basic functions on the object. The user also can change ownership of the object.
- *USE
- The user can perform basic operations on the object, such as running a program or reading a file. The user cannot change the object. Use (*USE) authority provides object operational (*OBJOPR), read (*READ), and execute (*EXECUTE) authorities.
- *EXCLUDE
- The user cannot access the object.
- name
- Specify the name of an authorization list to be used for authority to the object. Users included in the authorization list are granted authority to the object as specified in the list. The authorization list must exist when the object is created.
CRTAUTHLR OBJ(QGPL/FIL1) AUT(*EXCLUDE)
This command creates an authority holder for object FIL1 in library QGPL with *EXCLUDE authority.
GRTOBJAUT OBJ(QGPL/FIL1) TYPE(*FILE) USER(TWO) AUT(*USE)
By running this command, *USE authority is granted to user TWO for the authority holder that secures file FIL1 in library QGPL.
CRTSRCF FILE(QGPL/FIL1)
By running this command, user ONE creates a file that has a matching authority holder. User ONE becomes the owner of the file with user TWO having *USE authority to QGPL/FIL1.
*ESCAPE Messages
- CPC2212
- Authority holder created.
- CPF2122
- Storage limit exceeded for user profile &1.
- CPF2163
- Creation of authority holder in &2 not allowed.
- CPF22BA
- Authority holder could not be created.
- CPF22BC
- Object &1 type &3 is not program defined.
- CPF22B2
- Not authorized to create or delete authority holder.
- CPF22B5
- Authority holder already exists.
- CPF22B6
- Authority holder could not be created.
- CPF2283
- Authorization list &1 does not exist.
- CPF2289
- Unable to allocate authorization list &1.
- CPF9803
- Cannot allocate object &2 in library &3.