Case 6: User and group authority

This case demonstrates that a user can be denied access to an object even though the user's group has sufficient authority.

User WILSONJ wants to access file PRICES using program CPPGM01, which requires *CHANGE authority. WILSONJ is a member of group profile DPTSM and does not have *ALLOBJ special authority. Program CPPGM01 does not use adopted authority, and it ignores any previous adopted authority (USEADPAUT is *NO).

  1. Flowchart 1, step 1.
    1. Flowchart 2, step 1. PRICES has private authorities.
  2. Flowchart 1, step 2.
    1. Flowchart 3, steps 1 and 2. Object to check = CONTRACTS/PRICES *FILE.
    2. Flowchart 3, step 3.
      1. Flowchart 4, step 1. WILSONJ does not own the PRICES file. Return to Flowchart 3 with no authority found.
    3. Flowchart 3, step 4.
      1. Flowchart 5, steps 1, 2, and 3. Public is not sufficient.
    4. Flowchart 3, step 5.
    5. Flowchart 3, step 6. WILSONJ has *USE authority, which is not sufficient.
    6. Flowchart 3, step 8. Object to test = CONTRACTS/PRICES *FILE. Return to Flowchart 1 with insufficient authority.
  3. Flowchart 1, step 6.
    1. Flowchart 8A, step 1. Object to check = CONTRACTS/PRICES *FILE.
    2. Flowchart 8A, step 2. Program CPPGM01 does not adopt authority.
    3. Flowchart 8A, step 5. The *USEADPAUT parameter for the CPPGM01 program is *NO.
    4. Flowchart 8A, steps 8 and 9.
      1. Flowchart 8B, step 1. Program CPPGM01 does not adopt authority.
      2. Flowchart 8B, step 7. The *USEADPAUT parameter for the CPPGM01 program is *NO. Access is denied.

Analysis:

Giving a user the same authority as the public but less than the user's group does not affect the performance of authority checking for other users. However, if WILSONJ had *EXCLUDE authority (less than public), you might lose the performance benefits shown in Case 4.

Although this example has many steps, private authorities are searched only once. This should provide acceptable performance.