In AS/400 terminology, an authority is the permission to access an object. The object owner and the security officer (or other *ALLOBJ users) can grant or revoke authority to an object.
Special Authorities
All security systems have special user privileges for certain security and system administration functions. Special authorities allow certain users to administer AS/400 security and system tasks. There are eight special authorities. These special authorities are not hierarchical.
*ALLOBJ All object authority is granted for accessing any system resource
*AUDIT Allows the user to perform auditing functions
*JOBCTL Allows to manage spool files, job queues, output queues, jobs, writers, stop subsystems, perform IPL
*SAVSYS Used for saving and restoring the system and data without having explicit authority to objects queues and subsystems
*SECADM Allows administration of User Profiles and Office
*SERVICE Allows access to special service functions (such as SST) for problem diagnosis
*SPLCTL Allows control of spool functions
*IOSYSCFG Allows change of system configuration
All security systems have special user privileges for certain security and system administration functions. Special authorities allow certain users to administer AS/400 security and system tasks. There are eight special authorities. These special authorities are not hierarchical.
*ALLOBJ All object authority is granted for accessing any system resource
*AUDIT Allows the user to perform auditing functions
*JOBCTL Allows to manage spool files, job queues, output queues, jobs, writers, stop subsystems, perform IPL
*SAVSYS Used for saving and restoring the system and data without having explicit authority to objects queues and subsystems
*SECADM Allows administration of User Profiles and Office
*SERVICE Allows access to special service functions (such as SST) for problem diagnosis
*SPLCTL Allows control of spool functions
*IOSYSCFG Allows change of system configuration
Specific authorities
Specific authorities are further divided into 2 types.
1. Object Authorities
2. Data Authorities
1. Object Authorities
2. Data Authorities
It is important to understand the difference between authority to an object and authority to the data in the object. Operations such as moving, renaming, saving, or deleting apply to the object as such. It is possible to have authority for these operations without having access to the data stored in the object. Likewise, one can have full access (read, write, update, delete, execute) to the data in an object without having full authority to manipulate the whole object.
1. Object Authorities :
There are 6 object authorities used in AS/400.Those are as follows.
a. *OBJOPR ( Object Operational )
b. *OBJEXIST ( Object Existence )
c. *OBJMGT ( Object Management )
d. *OBJALTER ( Object Alteration )
e. *AUTLMGT ( Authorization List Authority )
f. *OBJREF ( Object Reference )
2. Data Authorities :
There are 5 data authorities used in AS/400.Those are as follows.
a. *READ ( Read Data )
b. *ADD ( Add Data )
c. *DLT ( Delete Data )
d. *UPD ( Change Data )
e. *EXECUTE ( Run a Program )
There are 6 object authorities used in AS/400.Those are as follows.
a. *OBJOPR ( Object Operational )
b. *OBJEXIST ( Object Existence )
c. *OBJMGT ( Object Management )
d. *OBJALTER ( Object Alteration )
e. *AUTLMGT ( Authorization List Authority )
f. *OBJREF ( Object Reference )
2. Data Authorities :
There are 5 data authorities used in AS/400.Those are as follows.
a. *READ ( Read Data )
b. *ADD ( Add Data )
c. *DLT ( Delete Data )
d. *UPD ( Change Data )
e. *EXECUTE ( Run a Program )
The following authorities are independent (not hierarchical). For some operations a combination of authorities is required:
*OBJOPR: The object operational authority controls the use of an object and the capability to look at the description of the object. It is needed to open a file andtherefore usually assigned in combination with the desired data rights.
*OBJMGT: The object management authority controls the move, rename, and change attribute functions for object, and the grant and revoke authority
functions for other users or groups.
*OBJEXIST: The object existence authority controls the delete, save, restore, or transfer ownership operations of an object.
*AUTLMGT: This authority is needed to manage the contents of an authorization list associated with the object. This is a specialized security authorization that is not usually grouped with the other seven object authorities.
*OBJALTER: This authority is needed to alter the attributes of data base files
and change the attributes of SQL packages.
*OBJREF: This authority is needed to specify a data base file as the first level in a referential constraint.
*READ: Controls the ability to read data from the object.
*ADD: Controls the ability to insert a new entry (such as a new record in a file)
into the object.
*UPDATE: Controls the ability to modify existing entries in the object.
*DELETE: Controls the ability to remove existing entries (for example, records) in the object. To delete the whole object requires *OBJEXIST authority.
*EXECUTE: Controls the ability to run a program, service program, or SQL package, and to locate an object in a library or a directory. Some common
combinations of authorities have been given special names as an
abbreviated form. For example, *USE is the combination of *OBJOPR, *READ, and *EXECUTE.
*ALL Allows unlimited access to the object and its data
*CHANGE Allows unlimited access to the data in the object
*USE Allows data in the object to be read
*EXCLUDE Allows no access to the object or its data
*PUBLIC Authority
*OBJOPR: The object operational authority controls the use of an object and the capability to look at the description of the object. It is needed to open a file andtherefore usually assigned in combination with the desired data rights.
*OBJMGT: The object management authority controls the move, rename, and change attribute functions for object, and the grant and revoke authority
functions for other users or groups.
*OBJEXIST: The object existence authority controls the delete, save, restore, or transfer ownership operations of an object.
*AUTLMGT: This authority is needed to manage the contents of an authorization list associated with the object. This is a specialized security authorization that is not usually grouped with the other seven object authorities.
*OBJALTER: This authority is needed to alter the attributes of data base files
and change the attributes of SQL packages.
*OBJREF: This authority is needed to specify a data base file as the first level in a referential constraint.
*READ: Controls the ability to read data from the object.
*ADD: Controls the ability to insert a new entry (such as a new record in a file)
into the object.
*UPDATE: Controls the ability to modify existing entries in the object.
*DELETE: Controls the ability to remove existing entries (for example, records) in the object. To delete the whole object requires *OBJEXIST authority.
*EXECUTE: Controls the ability to run a program, service program, or SQL package, and to locate an object in a library or a directory. Some common
combinations of authorities have been given special names as an
abbreviated form. For example, *USE is the combination of *OBJOPR, *READ, and *EXECUTE.
*ALL Allows unlimited access to the object and its data
*CHANGE Allows unlimited access to the data in the object
*USE Allows data in the object to be read
*EXCLUDE Allows no access to the object or its data
*PUBLIC Authority
Public authority is the default authority for an object. It is used if users do not have any specific (private) authority to an object, are not on the authorization list (if one is specified) for the object, or their group(s) has no specific authority to the object.