Library commands

This table lists the specific authorities required for the library commands.

Commands identified by (Q) are shipped with public authority *EXCLUDE. Commands shipped with public authority *EXCLUDE shows which IBM-supplied user profiles are authorized to the command. The security officer can grant *USE authority to others.

Command Referenced object Authority needed
For object For library being acted on
ADDLIBLE Library   *USE
CHGCURLIB New current library   *USE
CHGLIB 8 Library   *OBJMGT
CHGLIBL Every library being placed in the library list   *USE
CHGSYSLIBL (Q) Libraries in new list   *USE
CLRLIB 3 Every object being deleted from library *OBJEXIST *USE
Object types *DTADCT14, *JRN14,*JRNRCV14, *MSGQ14, *SBSD14 See the authority required by the DLTxxx command for the object type  
ASP device (if specified) *USE  
CPYLIB 4 From-Library   *USE
To-library, if it exists   *USE, *ADD
CHKOBJ, CRTDUPOBJ commands *USE  
CRTLIB command, if the target library is being created *USE  
Object being copied The authority that is required when you use the CRTDUPOBJ command to copy the object type.  
CRTLIB 9 ASP device (if specified) *USE  
DLTLIB 3 Every object being deleted from library *OBJEXIST *USE, *OBJEXIST
Object types *DTADCT14, *JRN14,*JRNRCV14, *MSGQ, *SBSD14 See the authority required by the DLTxxx command for the object type  
ASP device (if specified) *USE  
DSPLIB Library   *READ
Objects in the library 5 Some authority other than *EXCLUDE  
ASP device (if specified) *EXECUTE  
DSPLIBD Library   Some authority other than *EXCLUDE
EDTLIBL Library to add to list   *USE
RCLLIB Library   *USE, *OBJEXIST
RSTLIB (Q)7, 17, 19 Media definition *USE *EXECUTE
Library, if it does exist   *READ, *ADD
Message queues being restored to library where they already exist *OBJOPR, *OBJEXIST 7 *EXECUTE. *READ, *ADD
Programs that adopt authority Owner or *ALLOBJ and *SECADM *EXECUTE
Library saved if VOL(*SAVVOL) is specified   *USE 6
Every object being restored over in the library *OBJEXIST 3 *EXECUTE, *READ, *ADD
User profile owning objects being created *ADD 6  
Tape unit, diskette unit, optical unit *USE *EXECUTE
Output file, if specified See General Rules See General Rules
QSYS/QASAVOBJ field reference file for output file, if an output file is specified and does not exist *USE *EXECUTE
RSTLIB (Q) Tape (QSYSTAP) or diskette (QSYSDKT) file *USE 6 *EXECUTE
QSYS/QPSRLDSP printer output, if OUTPUT(*PRINT) specified *USE *EXECUTE
Save file *USE *EXECUTE
Optical File (OPTFILE)12 *R Not applicable
Path prefix of optical file (OPTFILE)12 *X Not applicable
Optical volume11 *USE  
ASP device description15 *USE  
RSTS36LIBM From-file *USE *EXECUTE
To-file *CHANGE *EXECUTE
To-library *CHANGE *EXECUTE
Device file or device description *USE *EXECUTE
RTVLIBD Library   Some authority other than *EXCLUDE
SAVLIB18 Every object in the library *OBJEXIST 6 *READ, *EXECUTE
Media definition *USE *EXECUTE
Save file, if empty *USE, *ADD *EXECUTE
Save file, if records exist in it *USE, *ADD, *OBJMGT *EXECUTE
Save active message queue *OBJOPR, *ADD *EXECUTE
Tape unit, diskette unit, optical unit *USE *EXECUTE
Output file, if specified Refer to the general rules. Refer to the general rules.
QSYS/QASAVOBJ field reference file, if output file is specified and does not exist *USE 6 *EXECUTE
QSYS/QPSAVOBJ printer output *USE 6 *EXECUTE
Command user space, if specified *USE *EXECUTE
SAVLIB Optical File12 *RW Not applicable
Parent Directory of optical file (OPTFILE)12 *WX Not applicable
Path Prefix of optical file (OPTFILE)12 *X Not applicable
Root Directory (/) of Optical Volume12, 13 *RWX Not applicable
Optical volume11 *CHANGE  
ASP device description15 *USE  
SAVRSTLIB On the source system, same authority as required by SAVLIB command.    
On the target system, same authority as required by RSTLIB command.    
SAVS36LIBM Save to a physical file *OBJOPR, *OBJMGT *EXECUTE
Either QSYSDKT for diskette or QSYSTAP for tape, and all commands need authority to the device *OBJOPR *EXECUTE
Save to a physical file if MBROPT(*ADD) is specified *ADD *READ, *ADD
Save to a physical file if MBROPT(*REPLACE) is specified *ADD, *DLT *EXECUTE
From-library   *USE
WRKLIB 10, 16, Start of change20End of change Library   *USE
1
The authority needed for the library being acted on is indicated in this column. For example, to add the library CUSTLIB to a library list using the ADDLIBLE command requires Use authority to the CUSTLIB library.
2
The authority needed for the QSYS library is indicated in this column, because all libraries are in QSYS library.
3
If object existence is not found for some objects in the library, those objects are not deleted, and the library is not completely cleared and deleted. Only authorized objects are deleted.
4
All restrictions that apply to the CRTDUPOBJ command, also apply to this command.
5
If you do not have authority to an object in the library, the text for the object says *NOT AUTHORIZED.
6
If you have *SAVSYS special authority, you do not need the authority specified.
7
You must have *ALLOBJ special authority to specify a value other than *NONE for the Allow object differences (ALWOBJDIF) parameter.
8
You must have *AUDIT special authority to change the CRTOBJAUD value for a library. *OBJMGT is not required if you change only the CRTOBJAUD value. *OBJMGT is required if you change the CRTOBJAUD value and other values.
9
You must have *AUDIT special authority to specify a CRTOBJAUD value other than *SYSVAL.
10
You must have the authority required by the operation to use an individual operation.
11
Optical volumes are not actual system objects. The link between the optical volume and the authorization list used to secure the volume is maintained by the optical support function.
12
This authority check is only made when the Optical media format is Universal Disk Format.
13
This authority check is only made when you are clearing the optical volume.
14
This object is allowed on independent ASP.
15
Authority required only if save or restore operation requires a library namespace switch.
16
This command requires *ALLOBJ special authority.
17
You must have *ALLOBJ special authority to specify *YES for the PVTAUT parameter.
18
You must have *ALLOBJ or *SAVSYS special authority to specify *YES for the PVTAUT parameter.
19
You must have *SAVSYS special authority to specify a name for the DFRID parameter.
Start of change20End of change
Start of changeIf you are authorized to the IBM i Database Security Administrator function (QIBM_DB_SECADM) you do not need the specified authority to the object.End of change