Pages

Tuesday, November 17, 2020

Authorization List on IBM i

Authorization List (AUTL):

Managing Authorities is the key part for any application. Authorities can be provided by User profile or associated Group Profile. One other way to do this is by using Authorization List

Authorization List allows multiple User profiles and/or Group profiles to be setup with the required authorities (*USE, *CHANGE, *ALL...) and add Authorization List to the corresponding Libraries or Object. 

This makes it easier to manage authorities to setup or change the authorities at one place rather than having to change on multiple libraries or objects. 

Apart from the fact that Authorization List makes it easier to manage authorities, There are couple of other major advantages of using Authorization Lists. 
  • Authority can be granted or revoked even if the file is locked by adding or removing the user on Authorization List. Same cannot be done directly on a File even if it is open for Read.
  • Authorization List provide a way to remember authorities when an Object is saved. And, Object will automatically be linked with Authorization List on Restore on to the same system. Only exemption to this is if ALWOBJDIF(*ALL), ALWOBJDIF(*AUTL) or ALWOBJDIF(*COMPATIBLE) is specified on the Restore command. 
It is advised not to maintain private authorities on the objects directly along with an Authorization List. Having this might affect system performance (by checking for authorities both on Object and Authorization List). 

How to setup Authorization List? This can be done in the 3 simple steps. 
  1. Create the Authorization List. 
  2. Add Users to Authorization List.
  3. Attach Authorization List to Objects.
CRTAUTL (Create Authorization List) is used to create Authorization List. 

CRTAUTL AUTL(DATAAUTL) TEXT('Authorization List for Data Objects')

Existing authorization list can be seen by using WRKAUTL (Work with Authorization Lists)

Option '2' from 'Work with Authorization Lists' or 'EDTAUTL' (Edit Authorization List) are used to add or remove users and/or user's authorities. 

To attach Authorization List to Objects, one of the below commands can be used. 
  • GRTOBJAUT (Grant Object Authority) - Use parameter 'AUTL' to add the Authorization List to Object.
  • CHGAUT (Change Authority) - Use parameter 'AUTL' to add the Authorization List to IFS Object. 
  • EDTAUT (Edit Authority) or EDTOBJAUT (Edit Object Authority) - Both these commands would display a screen and Authorization List to be entered against 'Object secured by authorization list'.

No comments:

Post a Comment

Popular Posts