Order in which security is checked

80 pts.
Tags:
AS/400 security
Object authority
When accessing an object what is the order in which the security on the object is checked? Does it check the profile user class first then group authority, then private authority ?
ASKED: May 13, 2009  11:20 PM
UPDATED: November 4, 2009  8:42 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hi,

First verification is if user has *ALLOBJ. If it’s true. no other verification is done.

After that, the order is :

1-Private authorization
2-Group authorization
3-Authorization List
4-Public Authorization
5-Adopted Authorization

I hope it’s what you are looking for.

Regards,

Wilson

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    A couple notes... First, "user class" isn't involved in object authority checking. Maybe that was just a typo, but it should be emphasized. And, authority checking proceeds as noted above and stops as soon as authority is found. Because private authority is checked before group authority, you can assign a private authority of *EXCLUDE in order to block a user even when the group authority is *ALL. Assigning *EXCLUDE is not the same as removing all authority. The *EXCLUDE authority will be found, and checking will stop. It will not proceed to checking the group. Tom
    125,585 pointsBadges:
    report
  • CarterC19
    More detail: Authority order of operations Ownership of an object Owner’s special authority in profile Owner’s specific authority attached to an object Authorization lists attached to an object User Profile User’s special authority in profile User’s specific authority attached to an object Authorization list attached to an object Group profile Group’s special authority in the group profile Group’s specific authority attached to an object Authorization lists attached to an object Public authority to an object Carter
    220 pointsBadges:
    report
  • TomLiotta
    For these:
    1. User Profile
    2. User’s special authority in profile
    ...the order needs to be reversed in terms of effectiveness (and maybe actuality). Authority checking should be viewed as ending as soon as an appropriate authority is found. I'd guess that that's in order to speed things up as much as possible. If you grant *PUBLIC *USE to an object and also grant USERX *EXCLUDE to that object, USERX will be unauthorized because the private authority will be found before *PUBLIC authority is even looked at. Authority checking ends when USERX *EXCLUDE is located. However, if you then give USERX special authority *ALLOBJ, then USERX gains the authority to access the object. Clearly, authority checking is not ended when the USERX *EXCLUDE is found... unless that's not the actual order of checking. If special authority is checked first, then authority checking ends and there is no attempt to look any farther. I haven't looked at the flow-charts to see what they say. If they say that private authority is checked before special authority, then they are misleading and probably need some work. A misleading authority flow-chart might be troublesome. And if they have added detail that accounts for the discrepancy, then the list here is misleading. No? Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following