Comments on: Authority to some objects in a library to which user already has access

By: TomLiotta

TomLiotta — Wed, 24 Oct 2012 10:34:34 +0000

BTW, Paul would only need to be granted *ALL authority if he needed “all” authority. He might only need *CHANGE or *USE or some user-defined authority. I have no way to know what authority is needed. — Tom

By: TomLiotta

TomLiotta — Wed, 24 Oct 2012 10:31:35 +0000

If the only authority is *PUBLIC *EXCLUDE (and user Paul does not have *ALLOBJ), then authority must be granted to Paul in order to use the object. If Paul is the owner, then Paul can grant authority to himself whenever he wants. — Tom

By: 100282

100282 — Wed, 24 Oct 2012 08:38:43 +0000

The Library ABC is owned by the user Paul. The objects in the library ABC have the authority *PUBLIC *EXCLUDE. However,when checked I found that all the objects in library ABC have owner as Paul. Do we still need to give specific authority to PAUL as PAUL *ALL for individual objects also for him to access? Hope I am clear this time?

By: TomLiotta

TomLiotta — Tue, 23 Oct 2012 09:34:19 +0000

can this happen?

Not enough information. Nothing shown looks unusual, but I don’t know what kind of object XYZ is nor how it was created. Knowing those will probably lead to other questions.

Tom

By: 100282

100282 — Tue, 23 Oct 2012 09:18:01 +0000

For eg:
Library: ABA – Owner : Paul
Object: XYZ – Owner : Paul *PUBLIC *EXCLUDE
the user Paul is not having access by default? can this happen?

By: TomLiotta

TomLiotta — Tue, 23 Oct 2012 00:37:01 +0000

doesnt the ownership reflect to all the objects in the library?

No.

The ‘ownership’ does not automatically allow the authority to access an object (even if ownership of a library did extend to objects contained in it). For example, if an owner is given *EXCLUDE authority to an object, then the owner can’t access the object until authority to do so is reestablished.

It depends on what authority was granted when the object was created or later. Ownership <> authority.

(But note that an object owner always has the authority to change the authority on an object.)

Tom

By: ToddN2000

ToddN2000 — Mon, 22 Oct 2012 17:43:32 +0000

No. I can add file to a library if I am authorized but someone else may not be able to delete what I added to the library. There are 2 levels of security going on here one is for the library and the second is the individual objects in the library.Check both sides and you will probably find the issue. Check the object authority for one that works and compare to one that does not.

By: 100282

100282 — Mon, 22 Oct 2012 13:46:27 +0000

Sorry for the confusion. but the library is owned by the user. doesnt the ownership reflect to all the objects in the library?
do we need to grant access to objects in his own library?

By: ToddN2000

ToddN2000 — Fri, 19 Oct 2012 15:38:42 +0000

Like Tom mentioned you REALLY need some security/authority measures in place. Maybe they do not need authority to everything in the LIB. We have had some issues where if the file object was created under a different user profile you could not delete it for example because of the object owner. Mainly from users creating files as output from as/400 queries to import into Excel. Check all the objects in the library and see what is different on the ones they are having access problems with.. I think you will see a pattern.

By: TomLiotta

TomLiotta — Fri, 19 Oct 2012 00:06:12 +0000

Not sure how the access is not there in first place?

Why do you think it should be there in the first place? Did you already grant authority to the user for those files and queries? Is the user a member of a group that already has authority? Are all of the files and queries on an authorization list that the user is authorized to?

to grant access now do we need to add *ALL authority for each individual object?

If you need to grant *ALL authority to the user for every individual file, then yes, you need to grant *ALL authority to the user for every individual file. If you need to grant less authority or the user doesn’t need authority to every file, then no, you don’t to grant *ALL for every file. We have no information about what authority you need to grant for which objects.

Authority can be granted generically with the CHGAUT command. That’s a way to assign authorities for each file and/or each query while using a single command.

We can guess that your system has no useful authority scheme in place, otherwise this question wouldn’t have come up. An appropriate authority scheme would go a long way towards automating authority assignments.

Who is responsible for maintaining authority on your system? Creating a security scheme can be difficult after a system has been in use for a while. But it will save time and confusion in the future, and your system will be more secure.

Tom