Work with security commands

This article describes how use security commands to display, change, and delete security information.

The table below shows what commands you use to work with security objects on the system. You can use these commands to perform these tasks:

View and list security information.
Change security information.
Delete security information.

Table 1. Security Commands
Security Object	How to View	How to Change	How to Delete
System Value	WRKSYSVAL DSPSYSVAL	WRKSYSVAL CHGSYSVAL	Cannot be deleted
Job Description	WRKJOBD DSPJOBD	WRKJOBD CHGJOBD	DLTJOBD
Group Profile	WRKUSRPRF DSPUSRPRF DSPAUTUSR	WRKUSRPRF CHGUSRPRF	DLTUSRPRF¹, ²
User Profile	WRKUSRPRF DSPUSRPRF DSPAUTUSR	WRKUSRPRF CHGUSRPRF CHGUSRAUD	DLTUSRPRF¹
Object Authorities	DSPAUT DSPOBJAUT DSPUSRPRF TYPE(*OBJAUT)	CHGAUT EDTOBJAUT GRTOBJAUT WRKAUT	EDTOBJAUT RVKOBJAUT WRKAUT
Object Ownership	WRKOBJOWN DSPOBJAUT DSPUSRPRF TYPE(*OBJOWN)	CHGOBJOWN CHGOWN	CHGOBJOWN CHGOWN allows you to revoke the rights of the previous owner.
Primary Group	DSPOBJAUT WRKOBJPGP DSPUSRPRF TYPE(*OBJPGP)	CHGOBJPGP CHGPGP	CHGOBJPGP CHGPGP set primary group to *NONE
Object Auditing	DSPOBJD	CHGOBJAUD CHGAUD	CHGOBJAUD (set to *NONE) CHGAUD
Authorization List	DSPAUTL DSPAUTLOBJ	EDTAUTL (user authority to a list) EDTOBJAUT (object secured by list) ADDAUTLE CHGAUTLE GRTOBJAUT	DLTAUTL (entire list)³ RMVAUTLE (remove user authority to the list) EDTOBJAUT (object secured by list) RVKOBJAUT
IBM^® recommends using the remove option from the Work with User Enrollment display for deleting a profile. Using this option, you can delete any objects that are owned by the profile or reassign them to a new owner. Certain DLTUSRPRF command parameters allow you to delete all objects that are owned by the user or assign them all to a new owner. You cannot delete a profile unless you delete or reassign owned objects. You also cannot delete a profile that is the primary group for any objects. You cannot delete a group profile that has any members. Use the *GRPMBR option of the DSPUSRPRF command to list the members of the group. Change the Group Profile field in each of the individual group profiles before deleting the group profile. You cannot delete an authorization list that is used to secure objects. Use the DSPAUTLOBJ command to list the objects that are secured by the list. Change the authority of any objects that are secured by the list by using the EDTOBJAUT command.

Viewing and listing security information

You can list security information by using a display (DSP) command with a print (*PRINT) option. For example, to display an authorization list called MYLIST, type DSPAUTL MYLIST *PRINT.

Some display commands provide options for different types of lists. For example, when you created individual user profiles, you used the *GRPMBR option of the DSPUSRPRF command to list all the members of a group profile. Use prompting (F4) and online information to find out what lists are available for security objects.

You can use the Display commands to view security information at your display station. You can also use the Work with... (WRK) commands, which provide more function. The Work With... commands give you a list display. You can use this display to change, delete, and view information.

You can also use security commands to list or view information by using a generic name. If you type WRKUSRPRF DPT*, your Work with User Enrollment display or Work with User Profile display shows only profiles that start with the characters DPT. Use online information for a command to find out which parameters allow generic names.

Changing security information

You can change security information interactively by using a Work With... (WRK) or Edit... (EDT) command. You can view the information, change it, and view the information again after the change.

You can also change security information without viewing it before and after the change by using a Change... (CHG) or Grant... (GRT) command. This method is particularly useful for making a change to more than one object at a time. For example, you used the GRTOBJAUT command to set public authority for all the objects in a library.

Deleting security information

You can delete or remove certain types of security information interactively by using the Work with... (WRK) or Edit... (EDT) commands. You can also use Delete... (DLT), Remove... (RMV), and Revoke... (RVK) commands to delete security information. Often, you must meet certain conditions before the system allows you to delete security information.