Revoke Object Authority (RVKOBJAUT)

Where allowed to run: All environments (*ALL)
Threadsafe: No
Parameters
Examples
Error messages

The Revoke Object Authority (RVKOBJAUT) command is used to take away specific (or all) authority for the named object(s) from one or more users named in the command, or to remove the authority of an authorization list for the named object(s). This command can be run by the security officer, by an object's owner, or by a user who has object management authority for the object to be revoked. Users who have object management authority can revoke only the explicit authority that they have. A user may not be able to grant or revoke authority for an object that has been allocated (locked) by another job. Authority cannot be revoked for an object that is currently in use.

Note: Caution should be used when changing the public authority on IBM-supplied objects. For example, changing the public authority on the QSYSOPR message queue to be more restrictive than *CHANGE will cause some system programs to fail. The system programs will not have enough authority to send messages to the QSYSOPR message queue. For more information, refer to the iSeries Security Reference, SC41-5302.

Restrictions:

*** Security Risk ***

Revoking all authorities specifically given to a user for an object can result in the user having more authority than before the revoke operation. If a user has *USE authority for an object and *CHANGE authority on the authorization list that secures the object, revoking *USE authority results in the user having *CHANGE authority to the object.

Top

Parameters

Keyword Description Choices Notes
OBJ Object Qualified object name Required, Positional 1
Qualifier 1: Object Generic name, name, *ALL
Qualifier 2: Library Name, *LIBL, *CURLIB, *ALL, *ALLUSR, *USRLIBL, *ALLAVL, *ALLUSRAVL
OBJTYPE Object type *ALL, *ALRTBL, *BNDDIR, *CFGL, *CHTFMT, *CLD, *CLS, *CMD, *CNNL, *COSD, *CRG, *CRQD, *CSI, *CSPMAP, *CSPTBL, *CTLD, *DEVD, *DTAARA, *DTADCT, *DTAQ, *EDTD, *FCT, *FILE, *FNTRSC, *FNTTBL, *FORMDF, *FTR, *GSS, *IGCDCT, *IGCSRT, *IGCTBL, *IMGCLG, *IPXD, *JOBD, *JOBQ, *JOBSCD, *JRN, *JRNRCV, *LIB, *LIND, *LOCALE, *M36, *M36CFG, *MEDDFN, *MENU, *MGTCOL, *MODD, *MODULE, *MSGF, *MSGQ, *NODGRP, *NODL, *NTBD, *NWID, *NWSCFG, *NWSD, *OUTQ, *OVL, *PAGDFN, *PAGSEG, *PDFMAP, *PDG, *PGM, *PNLGRP, *PRDAVL, *PRDDFN, *PRDLOD, *PSFCFG, *QMFORM, *QMQRY, *QRYDFN, *RCT, *S36, *SBSD, *SCHIDX, *SPADCT, *SQLPKG, *SQLUDT, *SRVPGM, *SSND, *SVRSTG, *TBL, *TIMZON, *USRIDX, *USRPRF, *USRQ, *USRSPC, *VLDL, *WSCST Required, Positional 2
ASPDEV ASP device Name, *, *SYSBAS Optional
USER Users Single values: *ALL, *PUBLIC
Other values (up to 50 repetitions): Name
Optional, Positional 3
AUT Authority Single values: *CHANGE, *ALL, *USE, *EXCLUDE, *AUTL
Other values (up to 10 repetitions): *OBJALTER, *OBJEXIST, *OBJMGT, *OBJOPR, *OBJREF, *ADD, *DLT, *READ, *UPD, *EXECUTE
Optional, Positional 4
AUTL Authorization list Name Optional
Top

Object (OBJ)

Specifies the objects to have specific authority revoked. If *ALL is specified for the object name, a library name must be specified.

This is a required parameter.

Qualifier 1: Object

*ALL
All objects of the specified type (OBJTYPE) found in the search have specific authorities revoked. You must specify the name of a library when *ALL is specified for the object name.
generic-name
Specify the generic name of the objects that are to have specific authorities revoked.

A generic name is a character string of one or more characters followed by an asterisk (*); for example ABC*. The asterisk substitutes for any valid characters. A generic name specifies all objects with names that begin with the generic prefix for which the user has authority. If an asterisk is not included with the generic (prefix) name, the system assumes it to be the complete object name.

name
Specify the name of the object that is to have specific authorities revoked.

Qualifier 2: Library

*LIBL
All libraries in the library list for the current thread are searched until the first match is found.
*CURLIB
The current library for the thread is searched. If no library is specified as the current library for the thread, the QGPL library is searched. If the ASP device (ASPDEV) parameter is specified when this value is used, ASPDEV(*) is the only valid value.
*USRLIBL
If a current library entry exists in the library list for the current thread, the current library and the libraries in the user portion of the library list are searched. If there is no current library entry, only the libraries in the user portion of the library list are searched. If the ASP device (ASPDEV) parameter is specified when this value is used, ASPDEV(*) is the only valid value.
*ALL
All the libraries in the auxiliary storage pools (ASPs) specified for the ASP device (ASPDEV) parameter are searched.
*ALLUSR
All user libraries in the auxiliary storage pools (ASPs) defined by the ASP device (ASPDEV) parameter are searched.

User libraries are all libraries with names that do not begin with the letter Q except for the following:

#CGULIB     #DSULIB     #SEULIB
#COBLIB     #RPGLIB
#DFULIB     #SDALIB

Although the following libraries with names that begin with the letter Q are provided by IBM, they typically contain user data that changes frequently. Therefore, these libraries are also considered user libraries:

QDSNX       QRCLxxxxx   QUSRIJS     QUSRVxRxMx
QGPL        QSRVAGT     QUSRINFSKR
QGPL38      QSYS2       QUSRNOTES
QMGTC       QSYS2xxxxx  QUSROND
QMGTC2      QS36F       QUSRPOSGS
QMPGDATA    QUSER38     QUSRPOSSA
QMQMDATA    QUSRADSM    QUSRPYMSVR
QMQMPROC    QUSRBRM     QUSRRDARS
QPFRDATA    QUSRDIRCL   QUSRSYS
QRCL        QUSRDIRDB   QUSRVI

  1. 'xxxxx' is the number of a primary auxiliary storage pool (ASP).
  2. A different library name, in the format QUSRVxRxMx, can be created by the user for each previous release supported by IBM to contain any user commands to be compiled in a CL program for the previous release. For the QUSRVxRxMx user library, VxRxMx is the version, release, and modification level of a previous release that IBM continues to support.
*ALLAVL
All libraries in all available ASPs are searched.
*ALLUSRAVL
All user libraries in all available ASPs are searched. Refer to *ALLUSR for a definition of user libraries.
name
Specify the name of the library to be searched.
Top

Object type (OBJTYPE)

Specifies the object type of the object that has specific authorities revoked. For a complete list of object types, position the cursor on this parameter while prompting the command and press F4.

This is a required parameter.

*ALL
All object types (except *AUTL) have specific authorities revoked.
object-type
Specify the object type that is to have specific authorities revoked.
Top

ASP device (ASPDEV)

Specifies the auxiliary storage pool (ASP) device name where the library that contains the object (OBJ parameter) is located. If the object's library resides in an ASP that is not part of the library name space associated with the job, this parameter must be specified to ensure the correct object is used as the target of this command's operation.

*
The ASPs that are currently part of the job's library name space will be searched to locate the object. This includes the system ASP (ASP number 1), all defined basic user ASPs (ASP numbers 2-32), and, if the job has an ASP group, all independent ASPs in the ASP group.
*SYSBAS
The system ASP and all basic user ASPs will be searched to locate the object. No independent ASPs will be searched, even if the job has an ASP group.
name
Specify the device name of the independent ASP to be searched to locate the object. The independent ASP must have been activated (by varying on the ASP device) and have a status of AVAILABLE. The system ASP and basic user ASPs will not be searched.
Top

Users (USER)

Specifies one or more users whose specific authorities to the named object are to be revoked.

Note: Either this parameter or the Authorization list (AUTL) parameter must be specified.

Authorities revoked by this command are related to those given by the Grant Object Authority (GRTOBJAUT) command. If users have public authority to an object because USER(*PUBLIC) was specified on the GRTOBJAUT command, that public authority is revoked when *PUBLIC is specified on this parameter. If users have specific authorities to an object because their names were specified on the GRTOBJAUT command, their names must be specified on this parameter to revoke the same authorities.

The authorities to be revoked are specified on the Authority (AUT) parameter.

Single values

*ALL
The authorities specified are to be taken away from all enrolled users of the system except the owner, whether they were publicly or explicitly authorized.
*PUBLIC
The specified authorities are taken away from users who do not have specific authority for the object, are not on the authorization list, and whose group has no authority. Any users who have specific authorities still keep their authorities to the object.

Other values (up to 50 repetitions)

name
Specify the name of the user profile of the user that is to have the specified authorities revoked. This parameter cannot be used to revoke public authority from specific users; only authorities that were specifically given to a user can be specifically revoked. A maximum of 50 user profile names can be specified.
Top

Authority (AUT)

Specifies the authorities to be revoked from the users who do not have specific authority to the object, who are not on an authorization list, and whose user group does not have specific authority to the object.

Single values

*CHANGE
The user can perform all operations on the object except those limited to the owner or controlled by object existence (*OBJEXIST) and object management (*OBJMGT) authorities. The user can change and perform basic functions on the object. *CHANGE authority provides object operational (*OBJOPR) authority and all data authority. If the object is an authorization list, the user cannot add, change, or remove users.
*ALL
The user can perform all operations except those limited to the owner or controlled by authorization list management (*AUTLMGT) authority. The user can control the object's existence, specify the security for the object, change the object, and perform basic functions on the object. The user also can change ownership of the object.
*USE
The user can perform basic operations on the object, such as running a program or reading a file. The user cannot change the object. Use (*USE) authority provides object operational (*OBJOPR), read (*READ), and execute (*EXECUTE) authorities.
*EXCLUDE
The user cannot access the workstation object.
*AUTL
The public authority of the authorization list specified on the AUTL parameter is used for the public authority for the object.

Note: You can specify AUT(*AUTL) only when USER(*PUBLIC) is also specified.

Other values (up to 10 repetitions)

*OBJALTER
Object alter authority provides the authority needed to alter the attributes of an object. If the user has this authority on a database file, the user can add and remove triggers, add and remove referential and unique constraints, and change the attributes of the database file. If the user has this authority on an SQL package, the user can change the attributes of the SQL package. This authority is currently only used for database files and SQL packages.
*OBJMGT
Object management authority provides the authority to The security for the object, move or rename the object, and add members to database files.
*OBJEXIST
Object existence authority provides the authority to control the object's existence and ownership. If a user has special save system authority (*SAVSYS), object existence authority is not needed to perform save restore operations on the object.
*OBJOPR
Object operational authority provides authority to look at the description of an object and use the object as determined by the data authority that the user has to the object.
*OBJREF
Object reference authority provides the authority needed to reference an object from another object such that operations on that object may be restricted by the other object. If the user has this authority on a physical file, the user can add referential constraints in which the physical file is the parent. This authority is currently only used for database files.

Data authorities

*ADD
Add authority provides the authority to add entries to an object (for example, job entries to an queue or records to a file).
*DLT
Delete authority provides the authority to remove entries from an object.
*EXECUTE
Execute authority provides the authority needed to run a program or locate an object in a library.
*READ
Read authority provides the authority needed to get the contents of an entry in an object or to run a program.
*UPD
Update authority provides the authority to change the entries in an object.
Top

Authorization list (AUTL)

Specifies the authorization list that is revoked from the object specified for the Object (OBJ) parameter. If public authority in the object is *AUTL, it is changed to *EXCLUDE.

Note: Either this parameter or the Users (USER) parameter must be specified. If this parameter is specified, the AUT parameter is ignored.

name
Specify the name of the authorization list.
Top

Examples

Example 1: Removing Authority From All Users Except Program Owner

RVKOBJAUT   OBJ(ARLIB/PROG1)  OBJTYPE(*PGM)  USER(*ALL)

This command removes the authorities (AUT was not specified; *CHANGE is assumed) from all users who were either explicitly or publicly authorized, except the owner, for the program (*PGM) named PROG1 located in the library named ARLIB.

Example 2: Removing Object Owner's Authority to Delete a Program

RVKOBJAUT   OBJ(TSMITHPGM/MITHLIB)  OBJTYPE(*PGM)
            USER(TMSMITH)  AUT(*OBJEXIST)

This command removes the object owner's (TMSMITH) authority to delete a program (TSMITHPGM) in his library (SMITHLIB). The object owner might do this to ensure that the object is not deleted by mistake. If the owner ever wants to delete the object, object existence authority for the object can be granted by using the Grant Object Authority (GRTOBJAUT) command).

Example 3: Removing *DLT and *UPD Authorities

RVKOBJAUT   OBJ(FILEX)  OBJTYPE(*FILE)
            USER(HEANDERSON)  AUT(*DLT *UPD)

This command removes delete and update authorities for the file named FILEX from the user HEANDERSON.

Example 4: Removing *OBJEXIST Authority

RVKOBJAUT   OBJ(ARLIB/ARJOBD)  OBJTYPE(*JOBD)  USER(RLJOHNSON)
            AUT(*OBJEXIST)

This command removes the object existence authority for the object named ARJOBD from the user RLJOHNSON. ARJOBD is a job description that is located in the library named ARLIB.

Example 5: Removing Specific Authorities

RVKOBJAUT   OBJ(FILEX)  OBJTYPE(*FILE)  AUTL(FILEUSERS)

This command removes specific authorities for the file named FILEX from the users in the authorization list FILEUSERS.

Top

Error messages

*ESCAPE Messages

CPF22A0
Authority of *AUTL is allowed only with USER(*PUBLIC).
CPF22A1
OBJTYPE(*AUTL) not valid on this command.
CPF22A2
Authority of *AUTL not allowed for object type *USRPRF.
CPF22A3
AUTL parameter not allowed for object type *USRPRF.
CPF22A4
*EXCLUDE cannot be revoked from *PUBLIC.
CPF22A5
Object &1 in &3 type *&2 not secured by authorization list &4.
CPF22DA
Operation on file &1 in &2 not allowed.
CPF2207
Not authorized to use object &1 in library &3 type *&2.
CPF2208
Object &1 in library &3 type *&2 not found.
CPF2209
Library &1 not found.
CPF2210
Operation not allowed for object type *&1.
CPF2211
Not able to allocate object &1 in &3 type *&2.
CPF2216
Not authorized to use library &1.
CPF2224
Not authorized to revoke authority for object &1 in &3 type *&2.
CPF2227
One or more errors occurred during processing of command.
CPF2236
AUT input value not supported.
CPF2243
Library name &1 not allowed with OBJ(generic name) or OBJ(*ALL).
CPF2253
No objects found for &1 in library &2.
CPF2254
No libraries found for &1 request.
CPF2273
Authority may not have been changed for object &1 in &3 type *&2 for user &4.
CPF2283
Authorization list &1 does not exist.
CPF9804
Object &2 in library &3 damaged.

*STATUS Messages

CPF2256
Specified authority for the object not revoked from all users.
Top