This article describes the task, create an authorization list, explains why it is important, and provides step-by-step instructions.
After you set up ownership and public authority, you are ready to set up authorization lists. Using information from your Authorization List forms, create any authorization lists that are necessary to secure the library.
Use the Create Authorization List (CRTAUTL) command:
- Type CRTAUTL and press F4 (Prompt).
- Fill in the information from your Authorization List form.
- Press F10 (Additional parameters).
- Use the authority parameter to specify the public authority for objects that are secured by the list.
- Check for confirmation messages.
| Possible error |
Recovery |
|---|
| You typed the name of the list incorrectly. |
You cannot change the name of a list, once the system has created it. Delete the list (DLTAUTL) and try again. |
| You forgot to specify the public authority for the list. |
Use the Edit Authorization List (EDTAUTL) command. |
To use this function, perform the following steps:
- From iSeries™ Navigator, expand your server Security. You will see Authorization Lists and Policies.
- Right-click Authorization Lists and select New Authorization List. The New Authorization List allows you to do the following:
- Use: Allows access to the object attributes and use of the object. The public may view, but not change the objects.
- Change: Allows the contents of the object, with some exceptions, to be changed.
- All: Allows all operations on the object, except those that are limited to the owner. The user or group can control the object’s existence, specify the security for the object, change the object, and perform basic functions on the object. The user or group can also change ownership of the object.
- Exclude: All operations on the object are prohibited. No access or operations are allowed to the object for the users and groups having this permission. Specifies the public is not allowed to use the object.
When working with authorization lists you will want to grant permissions for both objects and data.
Object permissions you can choose are:
- Operational: Provides the permission to look at the description of an object and use the object as determined by the data permission that the user or group has to the object.
- Management: Provides the permission to specify the security for the object, move or rename the object, and add members to the database files.
- Existence: Provides the permission to control the object’s existence and ownership. The user or group can delete the object, free storage of the object, perform save and restore operations for the object, and transfer ownership of the object. If a user or group has special save permission, the user or group does not need object existence permission.
- Alter (used only for database files and SQL packages): Provides the permission needed to alter the attributes of an object. If the user or group has this permission on a database file, the user or group can add and remove triggers, add and remove referential and unique constraints, and change the attributes of the database file. If the user or group has this permission on an SQL package, the user or group can change the attributes of the SQL package. This permission is currently used only for database files and SQL packages.
- Reference (used only for database files and SQL packages): Provides the permission needed to reference an object from another object such that operations on that object may be restricted by the other object. If the user or group has this permission on a physical file, the user or group can add referential constraints in which the physical file is the parent. This permission is currently used only for database files.
Data permissions you can choose are:
- Read: Provides the permission needed to get and display the contents of the object, such as viewing records in a file.
- Add: Provides the permission to add entries to an object, such as adding messages to a message queue or adding records to a file.
- Update: Provides the permission to change the entries in an object, such as changing records in a file.
- Delete: Provides the permission to remove entries from an object, such as removing messages from a message queue or deleting records from a file.
- Execute: Provides the permission needed to run a program, service program or SQL package. The user can also locate an object in a library or directory.
You can now secure objects with an authorization list.