Authority required for objects used by commands
The tables in this section show what authority is needed for objects referenced by commands.
For example, in the entry for the Change User Profile (CHGUSRPRF) command the table lists all of the objects to which you need authority, such as the user's message queue, job description, and initial program.
The tables are organized in alphabetical order according to object type. In addition, tables are included for items that are not IBM i objects (jobs, spooled files, network attributes, and system values) and for some functions (device emulation and finance). Additional considerations (if any) for the commands are included as footnotes to the table.
The following sections are descriptions of the columns in the tables.
Referenced object
The objects listed in the Referenced object column are objects to which the user needs authority when using the command.
Authority required for object
The authorities specified in the tables show the object authorities and the data authorities that are required for the object when using the command.
Authority required for library
This column shows what authority is needed for the library containing the object.
For most operations, *EXECUTE authority is needed to locate the object in the library. Adding an object to a library requires *READ and *ADD authority.
Object type
The value refers to the type of the object specified in the Referenced object column.
File system
The value refers to the type of file system that the referenced object belongs to.
For the integrated file system in the IBM i operating system, refer to Integrated file system.
The following table describes the authorities that are specified in the Authority needed column. The description includes examples of how the authority is used. In most cases, accessing an object requires a combination of object and data authorities.
Authority | Name | Functions allowed |
---|---|---|
Object authorities: | ||
*OBJOPR | Object Operational | Look at the description of an object. Use the object as determined by the user's data authorities. |
*OBJMGT | Object Management | Specify the security for the object. Move or rename the object. All functions defined for *OBJALTER and *OBJREF. |
*OBJEXIST | Object Existence | Delete the object. Free storage of the object. Perform save and restore operations for the object 1. Transfer ownership of the object. |
*OBJALTER | Object Alter | Add, clear, initialize and reorganize members of the database files. Alter and add attributes of database files: add and remove triggers. Change the attributes of SQL packages. Move a library or folder to a different ASP. |
*OBJREF | Object Reference | Specify a database file as the parent in a referential constraint. For example, assume that you want to define a rule that a customer record must exist in the CUSMAS file before an order for the customer can be added to the CUSORD file. You need *OBJREF authority to the CUSMAS file to define this rule. |
*AUTLMGT | Authorization List Management | Add and remove users and their authorities from the authorization list. |
Data authorities: | ||
*READ | Read | Display the contents of the object, such as viewing records in a file. |
*ADD | Add | Add entries to an object, such as adding messages to a message queue or adding records to a file. |
*UPD | Update | Change the entries in an object, such as changing records in a file. |
*DLT | Delete | Remove entries from an object, such as removing messages from a message queue or deleting records from a file. |
*EXECUTE | Execute | Run a program, service program, or SQL package. Locate an object in a library or a directory. |
|
In addition to these values, the Authority needed columns of the table might show system-defined subsets of these authorities. The following table shows the subsets of object authorities and data authorities.
Authority | *ALL | *CHANGE | *USE | *EXCLUDE |
---|---|---|---|---|
Object Authorities | ||||
*OBJOPR | X | X | X | |
*OBJMGT | X | |||
*OBJEXIST | X | |||
*OBJALTER | X | |||
*OBJREF | X | |||
Data Authorities | ||||
*READ | X | X | X | |
*ADD | X | X | ||
*UPD | X | X | ||
*DLT | X | X | ||
*EXECUTE | X | X | X |
The following table shows additional authority subsets that are supported by the CHGAUT and WRKAUT commands.
Authority | *RWX | *RW | *RX | *R | *WX | *W | *X |
---|---|---|---|---|---|---|---|
Object authorities | |||||||
*OBJOPR | X | X | X | X | X | X | X |
*OBJMGT | |||||||
*OBJEXIST | |||||||
*OBJALTER | |||||||
*OBJREF | |||||||
Data authorities | |||||||
*READ | X | X | X | X | |||
*ADD | X | X | X | X | |||
*UPD | X | X | X | X | |||
*DLT | X | X | X | X | |||
*EXECUTE | X | X | X | X |