This case demonstrates that a user can be denied access to an object
even though the user's group has sufficient authority.
User WILSONJ wants to access file PRICES using program CPPGM01,
which requires *CHANGE authority. WILSONJ is a member of group profile DPTSM
and does not have *ALLOBJ special authority. Program CPPGM01 does not use
adopted authority, and it ignores any previous adopted authority (USEADPAUT
is *NO).
- Flowchart 1, step 1.
- Flowchart 2, step 1. PRICES has private authorities.
- Flowchart 1, step 2.
- Flowchart 3, steps 1 and 2. Object to check = CONTRACTS/PRICES *FILE.
- Flowchart 3, step 3.
- Flowchart 4, step 1. WILSONJ does not own the PRICES file. Return to Flowchart
3 with no authority found.
- Flowchart 3, step 4.
- Flowchart 5, steps 1, 2, and 3. Public is not sufficient.
- Flowchart 3, step 5.
- Flowchart 3, step 6. WILSONJ has *USE authority, which is not
sufficient.
- Flowchart 3, step 8. Object to test = CONTRACTS/PRICES *FILE. Return
to Flowchart 1 with insufficient authority.
- Flowchart 1, step 6.
- Flowchart 8A, step 1. Object to check = CONTRACTS/PRICES *FILE.
- Flowchart 8A, step 2. Program CPPGM01 does not adopt authority.
- Flowchart 8A, step 5. The *USEADPAUT parameter for the CPPGM01 program
is *NO.
- Flowchart 8A, steps 8 and 9.
- Flowchart 8B, step 1. Program CPPGM01 does not adopt authority.
- Flowchart 8B, step 7. The *USEADPAUT parameter for the CPPGM01
program is *NO. Access is denied.
Analysis:
Giving a user the same authority as the
public but less than the user's group does not affect the performance of authority
checking for other users. However, if WILSONJ had *EXCLUDE authority (less
than public), you might lose the performance benefits shown in Case 4.
Although
this example has many steps, private authorities are searched only once.
This should provide acceptable performance.