Authorization lists

Like a group profile, an authorization list allows you to group objects with similar security requirements and associate the group with a list of users and user authorities.

Authorization lists provide an efficient way to manage the authority to similar objects on the system and aid in the recovery of security information.

Providing each user with explicit access to every object they need to work with might create a great deal of duplicated effort, because many users need to access the same group of objects. A much easier way to provide this access is to create authorization lists. Authorization lists consist of a list of users or groups, the type of authority (*USE, *CHANGE, and *EXCLUDE) for each user or group, and a list of objects to which that this list provides access.

For example, you can create an authorization list to contain a list of objects related to an inventory database. A user responsible for ordering new inventory items can be granted authority to see the contents of the database objects. Additionally, a user group in shipping and receiving needs to update this database as parts come in and out of stock. This group can have authority to change the contents of the objects.

An authorization list has these advantages:

From a security management view, an authorization list is the preferred method to manage objects that have the same security requirements. Even when there are only a few objects that would be secured by the list, there is still an advantage to using an authorization list instead of using private authorities on the object. Because the authorities are in one place (the authorization list), it is easier to change who is authorized to the objects. It is also easier to secure any new objects with the same security level authorities as the existing objects.

If you use authorization lists, you should not have private authorities on the object. Two searches of the user's private authorities are required during the authority checking if the object has private authorities and the object is also secured by an authorization list. The first search is for the private authorities on the object; the second search is for the private authorities on the authorization list. Two searches require additional system resources; therefore, system performance can be impacted. If you use only the authorization list, only one search is performed. Also, because of the use of authority caching with the authorization list, the performance for the authority check will be the same as it is for checking only private authorities on the object.

Comparison of group profiles and authorization lists

Group profiles are used to simplify managing user profiles that have similar security requirements. Authorization lists are used to secure objects with similar security requirements. The following table shows the characteristics of the two methods.

Table 1. Authorization list and group profile comparison
Usage considerations Authorization List Group Profile
Can use to secure multiple objects Yes Yes
User can belong to more than one Yes Yes
Private authority overrides other authority Yes Yes
User must be assigned authority independently Yes No
Authorities specified are the same for all objects Yes No
Object can be secured by more than one No Yes
Authority can be specified when the object is created Yes Yes
Can secure all object types No Yes
Association with object is deleted when object is deleted Yes No
Association with object is saved when the object is saved Yes No

You can find more detailed information about authorization lists in "Comparison of group profiles and authorization lists" in the iSeries™ Security Reference.

Related concepts
Plan authorization lists
Create an authorization list