User Authority in AS/400

65 pts.
Tags:
AS/400 security
AS/400 user administration
AS/400 user authority
user A have auhtority on X Library and X library has a lot of query. But I want user A access only one query. how can I restrict him.

Answer Wiki

Thanks. We'll let you know when a new response is added.

If the user A has access to all the objects in the library X, it would be quicker to exclude user A from all the queries then grant authority to the one only.

GRTOBJAUT OBJ(libraryX/*ALL) OBJTYPE(*QRYDFN) USER(userA) AUT(*EXCLUDE)
then GRTOBJAUT to the single query.

=============================================================

The right answer depends on your current authorization scheme.

Ideally, the library and objects in it have *PUBLIC *EXCLUDE. This provides a base that is the fallback condition. It’s not necessary to have individuals as *EXCLUDE since they’re automatically excluded.

Then you can grant just the few individuals any needed authority and thus keep private authorities to a minimum. In this case, just the single individual would need *USE authority to the library and *USE authority to the query.

If many individuals need *USE authority to the library, then grant *USE to a group profile instead and make those users members of the group. That results in only a single private authority for the library.

Or even better –

You might prefer having the library and its objects on one or more *AUTLs. The library might be on one *AUTL and the objects on a second *AUTL. The group profile might then be given *USE authority to both *AUTLs.

And you might even have two group profiles with three *AUTLs. One *AUTL has the library and both group profiles. The second *AUTL could have most objects in the library and the main group profile listed. The second *AUTL could have the one query object and both group profiles listed.

Your individual user would only have the group profile that had limited access.

Once it’s set up with group profiles and *AUTLs, an advantage is that you can change individual’s group membership and thereby change authorities for that individual. If instead you start granting authorities directly to objects for individuals, every change of authority for those objects requires exclusive locks. There will be times when getting exclusive locks might be tricky because some objects are in use most of the time.

By having group profiles and *AUTLs as a middle layer, you can manipulate authorities without needing to lock application objects.

So, what’s the right answer for you? Well, without knowing how responsibilities of your users are separated and how your libraries and objects are separated and how elements like personnel turnover affect you, it’s hard to tell.

Tom

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Kiok
    You might try using edtobjaut
    45 pointsBadges:
    report
  • aceofdelts
    You could set up a menu CL as the initial program for this user. Have the desired query as a menu option. This only helps if the user has no Command Line availability. More work than Tom's authority method, but it locks user out of future queries yet to be created in library X.
    1,900 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following