Common commands for most objects

This table lists commands that can work on most objects in alphabetical order.

Commands identified by (Q) are shipped with public authority *EXCLUDE. Commands shipped with public authority *EXCLUDE shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.

Table 1. Common commands for most objects
Command Referenced object Authority needed
For object For library
ALCOBJ 1,2,11 Object *OBJOPR *EXECUTE
ANZOBJCVN (Q) 20      
ANZUSROBJ 20      
CHGOBJAUD 18 ASP Device (if specified) *USE  
CHGOBJD 3 Object, if it is a file *OBJOPR, *OBJMGT *EXECUTE
Object, if it is not a file *OBJMGT *EXECUTE
CHGOBJOWN 3,4,Start of change36End of change Object *OBJEXIST *EXECUTE
Object (if file, library, subsystem description) *OBJOPR, *OBJEXIST *EXECUTE
Object (if *AUTL ) Ownership or *ALLOBJ *EXECUTE
Old user profile *DLT *EXECUTE
New user profile *ADD *EXECUTE
ASP Device (if specified) *USE  
CHGOBJPGP 3,Start of change36End of change Object *OBJEXIST *EXECUTE
Object (if file, library, subsystem description) *OBJOPR, *OBJEXIST *EXECUTE
Object (if *AUTL ) Ownership and *OBJEXIST, or *ALLOBJ *EXECUTE
Old user profile *DLT  
New user profile *ADD  
ASP Device (if specified) *USE  
CHKOBJ 3 Object Authority specified by AUT parameter 14 *EXECUTE
CPROBJ Object *OBJMGT *EXECUTE
CHKOBJITG 11(Q)      
CRTDUPOBJ 3,9,11,21 New object   *USE, *ADD
Object being copied, if it is an *AUTL *AUTLMGT *USE, *ADD
Object being copied, all other types *OBJMGT, *USE *USE
CRTSAVF command (if the object is a save file) *OBJOPR  
ASP Device (if specified) *USE  
DCPOBJ Object *USE *EXECUTE
DLCOBJ 1,11 Object *OBJOPR *EXECUTE
DLTOBJ 35 Object *OBJEXIST *EXECUTE
ASP Device (if specified) *USE  
DMPOBJ (Q) 3 Object *OBJOPR, *READ *EXECUTE
DMPSYSOBJ (Q) Object *OBJOPR, *READ *EXECUTE
DSPOBJAUT 3 Object (to see all authority information) Start of change36End of change *OBJMGT or *ALLOBJ special authority or ownership *EXECUTE
Output file Refer to the general rules. Refer to the general rules.
ASP Device (if specified) Start of change36End of change *USE  
DSPOBJD 2, 28 Output file Refer to the general rules. Refer to the general rules.
Object Some authority other than *EXCLUDE *EXECUTE
ASP Device (if specified) *EXECUTE  
EDTOBJAUT 3,5,6,15,Start of change36End of change Object *OBJMGT *EXECUTE
Object (if file) *OBJOPR, *OBJMGT *EXECUTE
*AUTL, if used to secure object Not *EXCLUDE  
ASP Device (if specified) *USE  
GRTOBJAUT 3,5,6,15,Start of change36End of change Object *OBJMGT *EXECUTE
Object (if file) *OBJOPR, *OBJMGT *EXECUTE
*AUTL, if used to secure object Not *EXCLUDE  
ASP Device (if specified) *USE  
Reference ASP Device (if specified) *EXECUTE  
Reference object *OBJMGT or Ownership *EXECUTE
MOVOBJ 3,7,12 Object *OBJMGT  
Object (if *FILE) *ADD, *DLT, *EXECUTE  
Object (not *FILE), *DLT, *EXECUTE  
From-library   *CHANGE
To-library   *READ, *ADD
ASP Device (if specified) *USE  
PRTADPOBJ 26(Q)      
PRTPUBAUT 26      
PRTUSROBJ 26      
PRTPVTAUT 26      
RCLDBXREF      
RCLOBJOWN (Q)      
RCLSTG (Q)      
RCLTMPSTG (Q) Object *OBJMGT *EXECUTE
RMVDFRID (Q) 10      
RNMOBJ 3,11 Object *OBJMGT *UPD, *EXECUTE
Object, if *AUTL *AUTLMGT *EXECUTE
Object (if *FILE) *OBJOPR, *OBJMGT *UPD, *EXECUTE
ASP Device (if specified) *USE  
RSTDFROBJ (Q) 10 QSYS/QPSRLDSP printer output, if OUTPUT(*PRINT) specified *USE *EXECUTE
Output file, if specified Refer to the general rules Refer to the general rules
QSYS/QASRRSTO field reference file for output file, if an output file is specified and does not exist *USE *EXECUTE
RSTOBJ (Q)3,13, 31, 33 Object, if it already exists in the library *OBJEXIST 8 *EXECUTE, *ADD
Object, if it is *CFGL, *CNNL, *CTLD, *DEVD, *LIND, or *NWID *CHANGE and *OBJMGT *EXECUTE
Media definition *USE *EXECUTE
Message queues being restored to library where they already exist *OBJOPR, *OBJEXIST 8 *EXECUTE, *ADD
User profile owning objects being created *ADD 8  
Program that adopts authority Owner or *SECADM and *ALLOBJ special authority *EXECUTE
To-library *EXECUTE, *ADD 8  
Library for saved object if VOL(*SAVVOL) is specified *USE 8  
Save file *USE *EXECUTE
RSTOBJ (Q) Tape unit or optical unit *USE *EXECUTE
Tape (QSYSTAP) file or diskette (QSYSDKT) file *USE 8 *EXECUTE
Optical File (OPTFILE)22 *R Not applicable
Parent Directory of optical file (OPTFILE)22 *X Not applicable
Path prefix of OPTFILE22 *X Not applicable
Optical volume24 *USE Not applicable
QSYS/QPSRLDSP printer output, if OUTPUT(*PRINT) specified *USE *EXECUTE
Output file, if specified Refer to the general rules. Refer to the general rules.
QSYS/QASRRSTO field reference file for output file, if an output file is specified and does not exist *USE *EXECUTE
ASP device description25 *USE  
RSTSYSINF Save file *USE *EXECUTE
Tape unit or optical unit *USE *EXECUTE
Optical File (OPTFILE)22 *R Not applicable
Parent Directory of optical file (OPTFILE)22 *X Not applicable
Path prefix of OPTFILE22 *X Not applicable
Optical volume24 *USE Not applicable
RVKPUBAUT 20      
RTVOBJD 2, 29 Object Some authority other than *EXCLUDE *EXECUTE
RVKOBJAUT 3,5,15, 27,Start of change36End of change ASP Device (if specified) *USE  
SAVCHGOBJ 3, 32 Object (8) *OBJEXIST *EXECUTE
Tape unit or optical unit *USE *EXECUTE
Save file, if empty *USE, *ADD *EXECUTE
Save file, if records exist in it *OBJMGT, *USE, *ADD *EXECUTE
Save active message queue *OBJOPR, *ADD *EXECUTE
Command user space, if specified *USE *EXECUTE
SAVCHGOBJ Optical File (OPTFILE)22 *RW Not applicable
Parent Directory of optical file (OPTFILE)22 *WX Not applicable
Path prefix of optical file (OPTFILE)22 *X Not applicable
Root Directory (/) of optical volume22, 23 *RWX Not applicable
Optical volume24 *CHANGE  
Output file, if specified Refer to the general rules. Refer to the general rules.
QSYS/QASAVOBJ field reference file for output file, if an output file is specified and does not exist *USE 8 *EXECUTE
QSYS/QPSAVOBJ printer output *USE 8 *EXECUTE
ASP device description25 *USE  
SAVOBJ 3, 32 Object *OBJEXIST 8 *EXECUTE
Media definition *USE *EXECUTE
Tape unit or optical unit *USE *EXECUTE
Save file, if empty *USE, *ADD *EXECUTE
Save file, if records exist in it *OBJMGT, *USE, *ADD *EXECUTE
Save active message queue *OBJOPR, *ADD *EXECUTE
Command user space, if specified *USE *EXECUTE
SAVOBJ Optical File (OPTFILE) 22 *RW Not applicable
Parent Directory of optical file (OPTFILE)22 *WX Not applicable
Path prefix of OPTFILE22 *X Not applicable
Root directory (/) of optical volume 22, 23 *RWX Not applicable
Optical volume24 *CHANGE  
Output file, if specified Refer to the general rules. Refer to the general rules.
QSYS/QASAVOBJ field reference file for output file, if an output file is specified and does not exist *USE 8 *EXECUTE
QSYS/QPSAVOBJ printer output *USE 8 *EXECUTE
ASP device description25 *USE  
SAVSTG 10      
SAVSYS 10 Tape unit, optical unit *USE *EXECUTE
Root directory (/) of optical volume22 *RWX Not applicable
Optical volume24 *CHANGE Not applicable
SAVSYSINF Media definition *USE *EXECUTE
Tape unit or optical unit *USE *EXECUTE
Save file, if empty *USE, *ADD *EXECUTE
Save file, if records exist in it *OBJMGT, *USE, *ADD *EXECUTE
Optical File (OPTFILE) 22 *RW Not applicable
Parent Directory of optical file (OPTFILE)22 *WX Not applicable
Path prefix of OPTFILE22 *X Not applicable
Root directory (/) of optical volume 22, 23 *RWX Not applicable
Optical volume24 *CHANGE  
SAVRSTCHG On the source system, same authority as required by SAVCHGOBJ command.    
On the target system, same authority as required by RSTOBJ command.    
ASP device description25 *USE  
SAVRSTOBJ On the source system, same authority as required by SAVOBJ command.    
On the target system, same authority as required by RSTOBJ command.    
ASP device description25 *USE  
SETOBJACC Object *OBJOPR *EXECUTE
STROBJCVN (Q)20      
STRSAVSYNC34      
WRKOBJ 19,Start of change36End of change Object Any authority *USE
WRKOBJLCK Object   *EXECUTE
ASP Device *EXECUTE  
WRKOBJOWN 17 User profile *READ *EXECUTE
WRKOBJPGP 17 User profile *READ *EXECUTE
WRKOBJPVT17 User profile *READ *EXECUTE
1
See the OBJTYPE keyword of the ALCOBJ command for the list of object types that can be allocated and deallocated.
2
Some authority to the object (other than *EXCLUDE) is required.
3
This command cannot be used for documents or folders. Use the equivalent Document Library Object (DLO) command.
4
You must have *ALLOBJ and *SECADM special authority to change the object owner of a program, service program, or SQL package that adopts authority.
5
You must be the owner or have *OBJMGT authority and the authorities being granted or revoked.
6
You must be the owner or have *ALLOBJ special authority to grant *OBJMGT or *AUTLMGT authority.
7
This command cannot be used for user profiles, controller descriptions, device descriptions, line descriptions, documents, document libraries, and folders.
8
If you have *SAVSYS special authority, you do not need the authority specified.
9
If the user running the CRTDUPOBJ command has OWNER(*GRPPRF) in his user profile, the owner of the new object is the group profile. To successfully copy authorities to a new object owned by the group profile, the following applies:
  • The user running the command must have authority to the from-object. Authorities can be obtained from adopted authority or through the group profile.
  • If an error occurs while copying authorities to the new object, the newly created object is deleted.
10
You must have *SAVSYS special authority.
11
This command cannot be used for journals and journal receivers.
12
This command cannot be used for journals and journal receivers, unless the from-library is QRCL and the to-library is the original library for the journal or journal receiver.
13
You must have *ALLOBJ special authority to specify a value other than *NONE for the Allow object differences (ALWOBJDIF) parameter.
14
To check a user's authority to an object, you must have the authority you are checking. For example, to check whether a user has *OBJEXIST authority for FILEB, you must have *OBJEXIST authority to FILEB.
15
To secure an object with an authorization list or remove the authorization list from the object, you must do one of the following actions:
  • Own the object.
  • Have *ALL authority to the object.
  • Have *ALLOBJ special authority.
16
If either the original file or the renamed file has an associated authority holder, *ALL authority to the authority holder is required.
17
This command does not support the QOPT file system.
18
You must have *AUDIT special authority.
19
To use an individual operation, you must have the authority required by the individual operation.
20
You must have *ALLOBJ special authority.
21
All authorities on the from-object are duplicated to the new object. The primary group of the new object is determined by the group authority type (GRPAUTTYP) field in the user profile that is running the command. If the from-object has a primary group, the new object might not have the same primary group, but the authority that the primary group has on the from-object will be duplicated to the new object.
22
This authority check is only made when the Optical media format is Universal Disk Format.
23
This authority check is only made if you are clearing the optical volume.
24
Optical volumes are not actual system objects. The link between the optical volume and the authorization list used to secure the volume is maintained by the optical support function.
25
Authority required only if save or restore operation requires a library namespace switch.
26
You must have *ALLOBJ or *AUDIT special authority to use this command.
27
*** Security Risk *** Revoking all authorities specifically given to a user for an object can result in the user having more authority than before the revoke operation. If a user has *USE authority for and object and *CHANGE authority on the authorization list that secures the object, revoking *USE authority results in the user having *CHANGE authority to the object.
28
You must have either *ALLOBJ or *AUDIT special authority to have the current object auditing value displayed. Otherwise, the value *NOTAVL is displayed to indicate that the value is not available for display.
29
You must have either *ALLOBJ or *AUDIT special authority to retrieve the current object auditing value. Otherwise, the value *NOTAVL is returned to indicate that the values are not available for retrieval.
30
See the CHGPGM, CHGSRVPGM, and CHGMOD commands to determine the authority needed to convert programs, service programs, and modules.
31
You must have *ALLOBJ special authority to specify *YES for the PVTAUT parameter.
32
You must have either *ALLOBJ or *SAVSYS special authority to specify *YES for the PVTAUT parameter.
33
You must have *SAVSYS special authority to specify a name for the DFRID parameter.
34
You must have *SAVSYS and *JOBCTL special authority.
35
Some supported object types may require additional object and library authorities. Refer to the Delete Object (QLIDLTO) API documentation for more information.
Start of change36End of change
Start of changeIf you are authorized to the IBM i Database Security Administrator function (QIBM_DB_SECADM) you do not need the specified special authority or the specified authority to the object. However, users authorized to the QIBM_DB_SECADM function cannot grant authority to themselves or transfer ownership to themselves unless they have the authorities required for the operation.End of change