Commonly used authorities
You can specify certain sets of objects and data authorities.
Certain sets of object and data authorities are commonly required to perform operations on objects. You can specify these system-defined sets of authority (*ALL, *CHANGE, *USE) instead of individually defining the authorities needed for an object. *EXCLUDE authority is different than having no authority. *EXCLUDE authority specifically denies access to the object. Having no authority means you use the public authority defined for the object. Table 1 shows the system-defined authorities available using the object authority commands and displays.
Authority | *ALL | *CHANGE | *USE | *EXCLUDE |
---|---|---|---|---|
Object Authorities | ||||
*OBJOPR | X | X | X | |
*OBJMGT | X | |||
*OBJEXIST | X | |||
*OBJALTER | X | |||
*OBJREF | X | |||
Data Authorities | ||||
*READ | X | X | X | |
*ADD | X | X | ||
*UPD | X | X | ||
*DLT | X | X | ||
*EXECUTE | X | X | X |
Table 2 shows additional system-defined authorities that are available using the WRKAUT and CHGAUT commands:
Authority | *RWX | *RW | *RX | *R | *WX | *W | *X |
---|---|---|---|---|---|---|---|
Object Authorities | |||||||
*OBJOPR | X | X | X | X | X | X | X |
*OBJMGT | |||||||
*OBJEXIST | |||||||
*OBJALTER | |||||||
*OBJREF | |||||||
Data Authorities | |||||||
*READ | X | X | X | X | |||
*ADD | X | X | X | X | |||
*UPD | X | X | X | X | |||
*DLT | X | X | X | X | |||
*EXECUTE | X | X | X | X |
The LAN Server licensed program uses access control lists to manage authority. A user's authorities are called permissions. Table 3 shows how the LAN Server permissions map to object and data authorities:
Authority | LAN server permissions |
---|---|
*EXCLUDE | None |
Object Authorities | |
*OBJOPR | See note 1 |
*OBJMGT | Permission |
*OBJEXIST | Create, Delete |
*OBJALTER | Attribute |
*OBJREF | No equivalent |
Data Authorities | |
*READ | Read |
*ADD | Create |
*UPD | Write |
*DLT | Delete |
*EXECUTE | Execute |
- 1
- Unless NONE is specified for a user in the access control list, the user is implicitly given *OBJOPR.