Authority lists

1150 pts.
AS/400 administration
AS/400 Authorization List

plz give me the step by step process of creation of an Authority list and maintaining( i mean how to use) it...



Software/Hardware used:

Answer Wiki

Thanks. We'll let you know when a new response is added.

CRTAUTL. This command should have PUBLIC *EXCLUDE. You will need to have authority to this command or *allobj authority


Set security on system objects using the desired AUTL.

Add User Accounts to the AUTL (WRKAUTL and Option 2 to change/add/delete). Using Group profiles is my recommendation whenever possible.


I can’t think of any reason why CRTAUTL should be restricted as *PUBLIC *EXCLUDE.

Certainly, *PUBLIC *EXCLUDE is a likely authority to assign as a user entry on an *AUTL. There seems to be no reason ever to grant higher than *PUBLIC *USE on any *AUTL. If higher authority is given to *PUBLIC, then there’s probably no point in using the *AUTL for whatever is being done.

Note that objects that are added to the *AUTL should usually also have *PUBLIC *AUTL assigned in order to direct authority to the *AUTL.

An Authority List (*AUTL) object is a way of assigning authorities for a list of objects to a list of users. The “lists” may contain just a single object or user. Authorities are set against /each/ user for /all/ objects on the list.

One user might have *USE authority while a different user could have *CHANGE. The authority for a user is associated with <b>every</b> object on the list. I.e., you can’t use an *AUTL to give a particular user *USE authority to one object and *CHANGE authority to a different object.

*AUTLs are not the solution for everything. They can provide an administrator with a single interface point for potentially many users and objects. <b>A given object can appear on only one *AUTL.</b>

The list of users will often consist mostly of group profiles. The list of objects will often consist of objects from within a particular application. Users can appear on many *AUTLs.

Often, a single *AUTL might be created for a given application. However, you might create a couple *AUTLs for each application; you might see a reason to put particular users on one *AUTL with *CHANGE authority and *USE on a second *AUTL that lists a few other objects.

By listing group profiles, you effectively are granting members of the groups the authorities that are on the *AUTL. (You can list a particular user on the same list that the user’s group is on. The individual’s entry will be checked first. In this way, you can restrict an individual or elevate an individual while maintaining general group authority.

Listing a few groups lets you control all of the members with minimal effort. When a new user is added to the group, all authorities of the group become effective for that user. There’s no need to to put the user on any of the *AUTLs nor to assign authority object by object.

You can create *AUTLs, create a few profiles, place the profiles on the list with authorities and add objects to the list. As long as the profiles are not in use (no one logs on with them here are no members), the *AUTLs would have no effect. This gives you a way to phase object-level authority into a site that currently isn’t controlled. Whatever authorities are in place for users and objects will still be in place in addition to whatever is assigned on the new *AUTLs.


Discuss This Question: 7  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • RVP400
    Hi, Read the tech tip series mention below. Hopefully, it will answer most of your questions. Regards, RVP
    270 pointsBadges:
  • Abigail
    Security practice in our enviroment, the command must be locked down...just as DLTAUTL, CHGAUTL. Although, noone outside of IT has command entry access, developer's are not allowed to modify AUTL.
    645 pointsBadges:
  • TomLiotta
    DLTAUTL and CHGAUTL make some obvious sense. But CRTAUTL? It just seemed a little odd. I couldn't see what could be done that would be a problem if anyone created an *AUTL of their own. Object authority should already restrict what might be listed on it, both for users and objects. For DLTAUTL... would your developers have the authority to delete any *AUTLs if they had access to the command? Hopefully GRTOBJAUT and CHGAUT commands, etc., are similarly restricted.
    125,585 pointsBadges:
  • Abigail
    Perhaps we are too stringent with authorities, but grtobjaut, chgaut, addautl, chgautl, dltautl (to name a few) are also restricted.
    645 pointsBadges:
  • ten2008
    Hi Tom, thanks for your reply. But i want to know how the objects are allotted to the Authority list. regards Ram
    1,150 pointsBadges:
  • CharlieBrowne
    Try DSPAUTLOBJ ++ When your looking for a command and not sure what one to use, there is a menu system to help you. key in "GO CMDxxx" Where xxx is a noun or verb that is used in commands. GO CMDAUTL GO CMDOBJ etc...
    62,385 pointsBadges:
  • TomLiotta
    ...i want to know how the objects are allotted to the Authority list. The GRTOBJAUT command is one way:
    125,585 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: