How does iSeries check Authority?

Date: 3 February 2003
Product/Release: LANSA for iSeries
Abstract: The sequence of authority checking used by the iSeries
Submitted By: LANSA Technical Support


In what sequence does the iSeries check user authority for an object. Folders containing sensitive personnel information documents on the iSeries need to be secure. How can this be done? If the system operator has *ALLOBJ authority can they be excluded from this folder?


The sequence of authority checking that is used by the system is as follows:

  1. Work for Relationship
  2. Special Authority (such as *ALLOBJ)
  3. Explicit (or specific) Authority
  4. Authorization List
  5. Group Profile
  6. Access Code
  7. Public Authorization

A user with *ALLOBJ special authority gains access very quickly.

You can restrict a user who needs *ALLOBJ from accessing documents and folders by doing the following:

  1. Create a group profile with *ALLOBJ authority.
  2. Change all user profiles so that no user has *ALLOBJ authority. For those users who need *ALLOBJ, make them members of the newly created group profile.
  3. Change the authority for the folder that needs to be restricted and specifically exclude all users of the group profile who are not to be allowed access.

Even though the members of the group profile have *ALLOBJ special authority, the system finds them in the check for Explicit (or Specific) Authority before it finds their group profile authority and thus will not allow access to the folder.

Note: Only those users who need *ALLOBJ authority should be in the group profile, as this could be a security exposure.

If QSECOFR is excluded from this folder, he/she will be able to save/restore everything except the secured folder. The owner of the secured folder will need to be given the necessary special authorities to save/restore that folder.