Case 5: Using adopted authority
This case demonstrates the performance advantage in using adopted authority.
User SMITHG wants to access the PRICES file using program CPPGM08. SMITHG is not a member of a group and does not have *ALLOBJ special authority. Program CPPGM08 requires *CHANGE authority to the file. CPPGM08 is owned by the profile OWNCP and adopts owner authority (USRPRF is *OWNER).
Analysis:
This example demonstrates the performance advantage in using adopted authority when the program owner also owns the application objects.
The number of steps required to perform authority checking has almost no effect on performance, because most of the steps do not require retrieving new information. In this example, although many steps are performed, private authorities are searched only once (for user SMITHG).
- If you were to change Case 1 so that the group profile DPTSM owns the PRICES file and has *ALL authority to it, the performance characteristics of the two examples is the same. However, having a group profile own application objects might represent a security exposure. The members of the group always have the group's (owner) authority, unless you specifically give group members less authority. When you use adopted authority, you can control the situations in which owner authority is used.
- You can also change Case 1 so that DPTSM is the primary group for the PRICES file and has *CHANGE authority to it. If DPTSM is the first group for SMITHG (specified in the GRPPRF parameter of SMITHG's user profile), the performance characteristics is the same as Case 5.