340 lines
15 KiB
HTML
340 lines
15 KiB
HTML
|
|
<!doctype html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head><META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<title>Revoke Workstation Object Aut (RVKWSOAUT)</title>
|
|
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
|
|
</head>
|
|
<body bgcolor="white">
|
|
<script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<a name="RVKWSOAUT.Top_Of_Page"></a>
|
|
<h2>Revoke Workstation Object Aut (RVKWSOAUT)</h2>
|
|
<table width="100%">
|
|
<tr>
|
|
<td valign="top" align="left"><b>Where allowed to run: </b>All environments (*ALL)<br>
|
|
<b>Threadsafe: </b>No
|
|
</td>
|
|
<td valign="top" align="right">
|
|
<a href="#RVKWSOAUT.PARAMETERS.TABLE">Parameters</a><br>
|
|
<a href="#RVKWSOAUT.COMMAND.EXAMPLES">Examples</a><br>
|
|
<a href="#RVKWSOAUT.ERROR.MESSAGES">Error messages</a></td>
|
|
</tr>
|
|
</table>
|
|
|
|
<div> <a name="RVKWSOAUT"></a>
|
|
<p>The Revoke Workstation Object Authority (RVKWSOAUT) command is used to take away authority for a workstation object used by the i5/OS Graphical Operations program. Specific or all authority can be taken away from one or more users named in the command. You also can take away the authority of an authorization list for the named object.
|
|
</p>
|
|
<p>This command can be issued by a security officer, by an object owner, or by a user who has object management authority to the object for which authority is to be revoked. If a specific authority (other than *ALL) is specified on the AUT parameter, and that authority is not revoked, a message is issued that indicates the authority that is not revoked.
|
|
</p>
|
|
<p><b>*** Security Risk ***</b>
|
|
</p>
|
|
<p>Revoking all authorities given specifically to a user for an object can result in the user having more authority than before the operation. If a user has *USE authority for an object and *CHANGE authority on the authorization list that secures the object, revoking *USE authority results in the user having *CHANGE authority to the object.
|
|
</p>
|
|
<p><b>Restrictions:</b>
|
|
</p>
|
|
<ul>
|
|
<li>If you have object management (*OBJMGT) authority, you can revoke only the explicit authority that you have.
|
|
</li>
|
|
<li>You might not be able to grant or revoke authority for an object that has been allocated (locked) to another job. Authority cannot be revoked for an object that is currently in use.
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<table width="100%">
|
|
<tr><td align="right"><a href="#RVKWSOAUT.Top_Of_Page">Top</a></td></tr>
|
|
</table>
|
|
<hr size="2" width="100%">
|
|
|
|
<div>
|
|
<h3><a name="RVKWSOAUT.PARAMETERS.TABLE">Parameters</a></h3>
|
|
<table border="1" cellpadding="4" cellspacing="0">
|
|
<!-- col1="10" col2="15" col3="30" col4="10" -->
|
|
<tr>
|
|
<th bgcolor="aqua" valign="bottom" align="left">Keyword</th>
|
|
<th bgcolor="aqua" valign="bottom" align="left">Description</th>
|
|
<th bgcolor="aqua" valign="bottom" align="left">Choices</th>
|
|
<th bgcolor="aqua" valign="bottom" align="left">Notes</th>
|
|
</tr>
|
|
<tr>
|
|
<td valign="top" rowspan="2"><a href="#RVKWSOAUT.WSOTYPE"><b>WSOTYPE</b></a></td>
|
|
<td valign="top">Workstation object type</td>
|
|
<td valign="top"><i>Element list</i></td>
|
|
<td valign="top" rowspan="2">Required, Positional 1</td>
|
|
</tr>
|
|
<tr>
|
|
<td valign="top">Element 1: </td>
|
|
<td valign="top">
|
|
*TPLWRKARA, *WRKARA, *TPLPRTOL, *PRTOL, *TPLPRTL, *PRTL, *TPLOUTQ, *TPLOUTQL, *OUTQL, *TPLJOBL, *JOBL, *TPLJOBQ, *TPLJOBLOG, *JOBLOG, *TPLJOBQL, *JOBQL, *TPLMSGL, *MSGL, *TPLMSGQ, *TPLMSGSND, *MSGSND, *TPLSGNUSL, *SGNUSL, *TPLOBJL, *OBJL, *TPLLIBSL, *LIBSL, *TPLLIB, *LAUNCH, *TPLLAUNCH, *PRSSET</td>
|
|
</tr>
|
|
<tr>
|
|
<td valign="top" rowspan="2"><a href="#RVKWSOAUT.USER"><b>USER</b></a></td>
|
|
<td valign="top">Users</td>
|
|
<td valign="top">Single values: *ALL, *PUBLIC<br>Other values (up to 50 repetitions): <i>Qualifier list</i></td>
|
|
<td valign="top" rowspan="2">Optional, Positional 2</td>
|
|
</tr>
|
|
<tr>
|
|
<td valign="top">Qualifier 1: Users</td>
|
|
<td valign="top"><i>Name</i></td>
|
|
</tr><tr>
|
|
<td valign="top"><a href="#RVKWSOAUT.AUT"><b>AUT</b></a></td>
|
|
<td valign="top">Authority</td>
|
|
<td valign="top">Single values: <b><u>*CHANGE</u></b>, *ALL, *USE, *EXCLUDE, *AUTL<br>Other values (up to 7 repetitions): *OBJEXIST, *OBJMGT, *OBJOPR, *ADD, *DLT, *READ, *UPD</td>
|
|
<td valign="top">Optional, Positional 3</td>
|
|
</tr>
|
|
<tr>
|
|
<td valign="top"><a href="#RVKWSOAUT.AUTL"><b>AUTL</b></a></td>
|
|
<td valign="top">Authorization list</td>
|
|
<td valign="top"><i>Name</i></td>
|
|
<td valign="top">Optional</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<table width="100%">
|
|
<tr><td align="right"><a href="#RVKWSOAUT.Top_Of_Page">Top</a></td></tr>
|
|
</table>
|
|
</div>
|
|
<div> <a name="RVKWSOAUT.WSOTYPE"></a>
|
|
<h3>Workstation object type (WSOTYPE)</h3>
|
|
<p>Specifies the workstation object for which specific authorities are to be revoked.
|
|
</p>
|
|
<p>This is a required parameter.
|
|
</p>
|
|
<dl>
|
|
<dt><b>*TPLWRKARA</b></dt>
|
|
<dd>The authorities to the work area template are revoked.
|
|
</dd>
|
|
<dt><b>*WRKARA</b></dt>
|
|
<dd>The authorities to the work area objects are revoked.
|
|
</dd>
|
|
<dt><b>*TPLPRTOL</b></dt>
|
|
<dd>The authorities to the printer output list template are revoked.
|
|
</dd>
|
|
<dt><b>*PRTOL</b></dt>
|
|
<dd>The authorities to the printer output list objects are revoked.
|
|
</dd>
|
|
<dt><b>*TPLPRTL</b></dt>
|
|
<dd>The authorities to the printer list template are revoked.
|
|
</dd>
|
|
<dt><b>*PRTL</b></dt>
|
|
<dd>The authorities to the printer list objects are revoked.
|
|
</dd>
|
|
<dt><b>*TPLOUTQ</b></dt>
|
|
<dd>The authorities to the output queue template are revoked.
|
|
</dd>
|
|
<dt><b>*TPLOUTQL</b></dt>
|
|
<dd>The authorities to the output queue list template are revoked.
|
|
</dd>
|
|
<dt><b>*OUTQL</b></dt>
|
|
<dd>The authorities to the output queue list objects are revoked.
|
|
</dd>
|
|
<dt><b>*TPLJOBL</b></dt>
|
|
<dd>The authorities to the job list template are revoked.
|
|
</dd>
|
|
<dt><b>*JOBL</b></dt>
|
|
<dd>The authorities to the job list objects are revoked.
|
|
</dd>
|
|
<dt><b>*TPLJOBQ</b></dt>
|
|
<dd>The authorities to the job queue template are revoked.
|
|
</dd>
|
|
<dt><b>*TPLJOBLOG</b></dt>
|
|
<dd>The authorities to the job log template are revoked.
|
|
</dd>
|
|
<dt><b>*JOBLOG</b></dt>
|
|
<dd>The authorities to the job log objects are revoked.
|
|
</dd>
|
|
<dt><b>*TPLJOBQL</b></dt>
|
|
<dd>The authorities to the job queue list template are revoked.
|
|
</dd>
|
|
<dt><b>*JOBQL</b></dt>
|
|
<dd>The authorities to the job queue list objects are revoked.
|
|
</dd>
|
|
<dt><b>*TPLMSGL</b></dt>
|
|
<dd>The authorities to the message list template are revoked.
|
|
</dd>
|
|
<dt><b>*MSGL</b></dt>
|
|
<dd>The user authorities to the message list objects are revoked.
|
|
</dd>
|
|
<dt><b>*TPLMSGQ</b></dt>
|
|
<dd>The authorities to the message queue template are revoked.
|
|
</dd>
|
|
<dt><b>*TPLMSGSND</b></dt>
|
|
<dd>The authorities to the message sender template are revoked.
|
|
</dd>
|
|
<dt><b>*MSGSND</b></dt>
|
|
<dd>The authorities to the message sender objects are revoked.
|
|
</dd>
|
|
<dt><b>*TPLSGNUSL</b></dt>
|
|
<dd>The authorities to the signed-on user list template are revoked.
|
|
</dd>
|
|
<dt><b>*SGNUSL</b></dt>
|
|
<dd>The authorities to the signed-on user list objects are revoked.
|
|
</dd>
|
|
<dt><b>*TPLOBJL</b></dt>
|
|
<dd>The authorities to the object list template are revoked.
|
|
</dd>
|
|
<dt><b>*OBJL</b></dt>
|
|
<dd>The authorities to the object list objects are revoked.
|
|
</dd>
|
|
<dt><b>*TPLLIBSL</b></dt>
|
|
<dd>The authorities to the library list template are revoked.
|
|
</dd>
|
|
<dt><b>*LIBSL</b></dt>
|
|
<dd>The user authorities to the library list objects are revoked.
|
|
</dd>
|
|
<dt><b>*TPLLIB</b></dt>
|
|
<dd>The authorities to the library template are revoked.
|
|
</dd>
|
|
<dt><b>*TPLLAUNCH</b></dt>
|
|
<dd>The authorities to the job submitter template are revoked.
|
|
</dd>
|
|
<dt><b>*LAUNCH</b></dt>
|
|
<dd>The authorities to the job submitter objects are revoked.
|
|
</dd>
|
|
<dt><b>*PRSSET</b></dt>
|
|
<dd>The authorities to the personal setting objects are revoked.
|
|
</dd>
|
|
</dl>
|
|
</div>
|
|
<table width="100%">
|
|
<tr><td align="right"><a href="#RVKWSOAUT.Top_Of_Page">Top</a></td></tr>
|
|
</table>
|
|
<div> <a name="RVKWSOAUT.USER"></a>
|
|
<h3>Users (USER)</h3>
|
|
<p>Specifies one or more users whose specific authorities to the named object are to be revoked.
|
|
</p>
|
|
<p>Authorities revoked by this command are related to those given by the Grant Workstation Object Authority (GRTWSOAUT) command. If users have public authority to an object because USER(*PUBLIC) was specified on the GRTWSOAUT command, that public authority is revoked when *PUBLIC is specified on this parameter. If users have specific authorities to an object because their names were specified on the GRTWSOAUT command, their names must be specified on this parameter to revoke the same authorities.
|
|
</p>
|
|
<p>The authorities to be revoked are those specified for the <b>Authority (AUT)</b> parameter.
|
|
</p>
|
|
<p>
|
|
<b>Note: </b>Either this parameter or the AUTL parameter must be specified.
|
|
</p>
|
|
<dl>
|
|
<dt><b>*ALL</b></dt>
|
|
<dd>The authorities specified on the AUT parameter are taken away from all enrolled users of the system except the owner, if they are publicly or explicitly authorized.
|
|
</dd>
|
|
<dt><b>*PUBLIC</b></dt>
|
|
<dd>The specified authorities are taken away from users who do not have specific authority for the object, are not on the authorization list, and whose group has no authority. Any users who have specific authorities still keep their authorities to the object.
|
|
</dd>
|
|
<dt><b><i>name</i></b></dt>
|
|
<dd>Specify the name of the user profile that is to have the specified authorities revoked. This parameter cannot be used to revoke public authority from specific users; only authorities that were specifically given to a user can be specifically revoked.
|
|
</dd>
|
|
</dl>
|
|
</div>
|
|
<table width="100%">
|
|
<tr><td align="right"><a href="#RVKWSOAUT.Top_Of_Page">Top</a></td></tr>
|
|
</table>
|
|
<div> <a name="RVKWSOAUT.AUT"></a>
|
|
<h3>Authority (AUT)</h3>
|
|
<p>Specifies the authority to be revoked from the users who do not have specific authority to the object, who are not on an authorization list, and whose user group does not have specific authority to the object.
|
|
</p>
|
|
<p><b>Single values</b>
|
|
</p>
|
|
<dl>
|
|
<dt><b><u>*CHANGE</u></b></dt>
|
|
<dd>The user can perform all operations on the object except those limited to the owner or controlled by object existence (*OBJEXIST) and object management (*OBJMGT) authorities. The user can change and perform basic functions on the object. *CHANGE authority provides object operational (*OBJOPR) authority and all data authority. If the object is an authorization list, the user cannot add, change, or remove users.
|
|
</dd>
|
|
</dl>
|
|
<dl>
|
|
<dt><b>*ALL</b></dt>
|
|
<dd>The user can perform all operations except those limited to the owner or controlled by authorization list management (*AUTLMGT) authority. The user can control the object's existence, specify the security for the object, change the object, and perform basic functions on the object. The user also can change ownership of the object.
|
|
</dd>
|
|
</dl>
|
|
<dl>
|
|
<dt><b>*USE</b></dt>
|
|
<dd>The user can perform basic operations on the object, such as running a program or reading a file. The user cannot change the object. Use (*USE) authority provides object operational (*OBJOPR), read (*READ), and execute (*EXECUTE) authorities.
|
|
</dd>
|
|
</dl>
|
|
<dl>
|
|
<dt><b>*EXCLUDE</b></dt>
|
|
<dd>The user cannot access the workstation object.
|
|
</dd>
|
|
<dt><b>*AUTL</b></dt>
|
|
<dd>The public authority of the authorization list specified on the AUTL parameter is used for the public authority for the object.
|
|
<p>
|
|
<b>Note: </b>You can specify AUT(*AUTL) only when USER(*PUBLIC) is also specified.
|
|
</p>
|
|
</dd>
|
|
</dl>
|
|
<p><b>Other values (up to 10 repetitions)</b>
|
|
</p>
|
|
<dl>
|
|
<dt><b>*OBJALTER</b></dt>
|
|
<dd>Object alter authority provides the authority needed to alter the attributes of an object. If the user has this authority on a database file, the user can add and remove triggers, add and remove referential and unique constraints, and change the attributes of the database file. If the user has this authority on an SQL package, the user can change the attributes of the SQL package. This authority is currently only used for database files and SQL packages.
|
|
</dd>
|
|
<dt><b>*OBJMGT</b></dt>
|
|
<dd>Object management authority provides the authority to The security for the object, move or rename the object, and add members to database files.
|
|
</dd>
|
|
<dt><b>*OBJEXIST</b></dt>
|
|
<dd>Object existence authority provides the authority to control the object's existence and ownership. If a user has special save system authority (*SAVSYS), object existence authority is not needed to perform save restore operations on the object.
|
|
</dd>
|
|
<dt><b>*OBJOPR</b></dt>
|
|
<dd>Object operational authority provides authority to look at the description of an object and use the object as determined by the data authority that the user has to the object.
|
|
</dd>
|
|
<dt><b>*OBJREF</b></dt>
|
|
<dd>Object reference authority provides the authority needed to reference an object from another object such that operations on that object may be restricted by the other object. If the user has this authority on a physical file, the user can add referential constraints in which the physical file is the parent. This authority is currently only used for database files.
|
|
</dd>
|
|
</dl>
|
|
<p><b>Data authorities</b>
|
|
</p>
|
|
<dl>
|
|
<dt><b>*ADD</b></dt>
|
|
<dd>Add authority provides the authority to add entries to an object (for example, job entries to an queue or records to a file).
|
|
</dd>
|
|
</dl>
|
|
<dl>
|
|
<dt><b>*DLT</b></dt>
|
|
<dd>Delete authority provides the authority to remove entries from an object.
|
|
</dd>
|
|
<dt><b>*EXECUTE</b></dt>
|
|
<dd>Execute authority provides the authority needed to run a program or locate an object in a library.
|
|
</dd>
|
|
<dt><b>*READ</b></dt>
|
|
<dd>Read authority provides the authority needed to get the contents of an entry in an object or to run a program.
|
|
</dd>
|
|
<dt><b>*UPD</b></dt>
|
|
<dd>Update authority provides the authority to change the entries in an object.
|
|
</dd>
|
|
</dl>
|
|
</div>
|
|
<table width="100%">
|
|
<tr><td align="right"><a href="#RVKWSOAUT.Top_Of_Page">Top</a></td></tr>
|
|
</table>
|
|
<div> <a name="RVKWSOAUT.AUTL"></a>
|
|
<h3>Authorization list (AUTL)</h3>
|
|
<p>Specifies the authorization list that is revoked from the object specified on the WSOTYPE parameter. If public authority for the object is *AUTL, it is changed to *EXCLUDE. The authorization list's authority is then removed.
|
|
</p>
|
|
<p>
|
|
<b>Note: </b>Either this parameter or the USER parameter must be specified. If this parameter is specified, the AUT parameter is ignored.
|
|
</p>
|
|
<dl>
|
|
<dt><b><i>name</i></b></dt>
|
|
<dd>Specify the name of the authorization list.
|
|
</dd>
|
|
</dl>
|
|
</div>
|
|
<table width="100%">
|
|
<tr><td align="right"><a href="#RVKWSOAUT.Top_Of_Page">Top</a></td></tr>
|
|
</table>
|
|
<hr size="2" width="100%">
|
|
<div><h3><a name="RVKWSOAUT.COMMAND.EXAMPLES">Examples</a> </h3>
|
|
<p>
|
|
<pre>
|
|
RVKWSOAUT WSOTYPE(*SGNUSL) USER(HEANDERSON) AUT(*DLT *UPD)
|
|
</pre>
|
|
</p>
|
|
<p>This command removes the delete and the update authorities for signed-on user list objects from the user profile name HEANDERSON.
|
|
</p>
|
|
</div>
|
|
<table width="100%">
|
|
<tr><td align="right"><a href="#RVKWSOAUT.Top_Of_Page">Top</a></td></tr>
|
|
</table>
|
|
<hr size="2" width="100%">
|
|
<div>
|
|
<h3><a name="RVKWSOAUT.ERROR.MESSAGES">Error messages</a></h3>Unknown
|
|
</div>
|
|
<table width="100%">
|
|
<tr><td align="right"><a href="#RVKWSOAUT.Top_Of_Page">Top</a></td></tr>
|
|
</table>
|
|
</body>
|
|
</html>
|