AUTHORITY_COLLECTION view
The AUTHORITY_COLLECTION view contains information about the authority check for an object.
The following table describes the columns in the view. The schema is QSYS2.
Column Name | System Column Name | Data Type | Description |
---|---|---|---|
AUTHORIZATION_NAME | USER_NAME | VARCHAR(10) Nullable
|
The name of the user profile for which authority information was collected. |
CHECK_TIMESTAMP | CHKTIME | TIMESTAMP Nullable
|
The date and time the authority check was made. |
SYSTEM_OBJECT_NAME | SYS_ONAME | VARCHAR(10) Nullable
|
The name of the object whose authority was checked. This field contains information for objects in libraries and document library objects (*DOC and *FLR object types). Document library objects in this field will be in *SYSOBJNAM format. File system objects and document library objects use the PATH_NAME field. |
SYSTEM_OBJECT_SCHEMA | SYS_DNAME | VARCHAR(10) Nullable
|
The name of the library that contains the object. |
SYSTEM_OBJECT_TYPE | SYS_OTYPE | VARCHAR(8) Nullable
|
The object type of the object. |
ASP_NAME | ASP_NAME | VARCHAR(10) Nullable
|
The name of the auxiliary storage pool to which storage for the object is allocated |
ASP_NUMBER | ASP_NUMBER | DECIMAL(5,0) Nullable
|
The number of the auxiliary storage pool to which storage for the object is allocated. A value of 0 indicates *SYSBAS. |
OBJECT_NAME | ONAME | VARCHAR(128) Nullable
|
The SQL name of the object. Objects supported by SQL may have the same name as the IBM® i name or may have a different longer name than the IBM i name (SYSTEM_OBJECT_NAME). |
OBJECT_SCHEMA | OSCHEMA | VARCHAR(128) Nullable
|
The SQL name of the schema (library). Schemas in SQL may have the same name as the IBM i name or may have a different longer name than the IBM i name (SYSTEM_OBJECT_SCHEMA). |
OBJECT_TYPE | OTYPE | VARCHAR(9) Nullable
|
The SQL object type. The following values can be returned.
|
AUTHORIZATION_LIST | AUTL | VARCHAR(10) Nullable
|
The name of the authorization list used to secure the object. This field contains data only if the object is secured by an authorization list |
AUTHORITY_CHECK_SUCCESSFUL | CHKSUCCESS | CHAR(1) Nullable
|
The result of the authority check. This field is set to ‘1’ if the authority check was successful and ‘0’ if the authority check was not successful. |
CHECK_ANY_AUTHORITY | CHKANYAUTH | CHAR(1) Nullable
|
Indicates whether the authority check that is performed by the system is for “ANY” of the authorities that are listed in the DETAILED_REQUIRED_AUTHORITY field. This field is set to ‘1’ if “ANY” of the authorities were checked and ‘0’ if specific authorities were checked. Certain authority checks allow the function to complete if the user associated with the currently running job has one or more of the authorities that are listed in the DETAILED_REQUIRED_AUTHORITY field. A common function that performs the “ANY” authority check is the system lock instruction that is used by many system commands, APIs, and services. |
CACHED_AUTHORITY | CACHEAUTH | CHAR(1) Nullable
|
The operating system (OS) and Licensed Internal Code (LIC) have the capability to cache the authority the user currently has to an object, and use this authority for future authority checks. This field is set to ‘1’ if authority was cached and ‘0’ if authority was not cached. For performance reasons, the authority collection code will log, to the authority collection repository, the first authority check where cached authority is initially stored. Future authority checks, that use the cached authority, are not logged to the authority collection repository. However, any future authority check that requires more authority than was initially cached results in the logging of an authority collection entry for the authority check. In addition, the authority collection entries that have this field set to ‘1’ might not always provide an accurate view of the required authority information. The reason for this is that the system code can cache the maximum authority the current user of the job has to the object but require only a subset of this authority to pass a future authority check. This is a rare case within the OS and LIC but might occasionally be done. |
REQUIRED_AUTHORITY | REQAUTH | VARCHAR(7) Nullable
|
The authority that is required by the system to access the object. If the DETAILED_REQUIRED_AUTHORITY field does not map to a system-defined object authority level, this field will be blank. See Authority field values. |
DETAILED_REQUIRED_AUTHORITY | DTLREQAUTH | VARCHAR(90) Nullable
|
The detailed individual authority values that are required by the system to access the object. This is an important piece of information in the authority collection data. The detailed required authority is what is used to determine what authority can be set on the object so that it passes the authority check. Analyzing all of the authority collection entries for an object indicate what authority value can be set on the object to allow the application to run successfully from an authority standpoint. See Detailed authority field values. |
CURRENT_AUTHORITY | CURAUTH | VARCHAR(8) Nullable
|
The authority that the user currently has to the object. The AUTHORITY_SOURCE field must also be evaluated to determine where the users’ authority to the object was found. If the DETAILED_CURRENT_AUTHORITY field does not map to a system-defined object authority level, this field will be blank. See Authority field values. |
DETAILED_CURRENT_AUTHORITY | DTLCURAUTH | VARCHAR(99) Nullable
|
The detailed authority values that the user currently has to the object. The AUTHORITY_SOURCE field must also be evaluated to determine where the users’ authority to the object was found. See Detailed authority field values. |
AUTHORITY_SOURCE | AUTHSRC | VARCHAR(50) Nullable
|
Where the system found the authority that either satisfied the
authority check or caused the authority check to end unsuccessfully.
|
GROUP_NAME | GROUP_NAME | VARCHAR(10) Nullable
|
The name of the group profile whose authority was used to satisfy the authority check. If multiple group profiles contribute to the accumulated current authority for the object, this field contains the last group to contribute and the MULTIPLE_GROUPS_USED field is set to ‘1’. Group profiles are checked for authority based on the order in the group profile and supplemental group profile list in the user profile. |
MULTIPLE_GROUPS_USED | MLTGRPUSED | CHAR(1) Nullable
|
Indicates whether multiple group profiles contributed to the DETAILED_CURRENT_AUTHORITY for the object. This field is set to ‘1’ if multiple group profiles contributed and ‘0’ if no group profiles or only one group profile’s authority is used. |
ADOPT_AUTHORITY_USED | ADOPTUSED | CHAR(1) Nullable
|
Indicates whether adopted authority is used to satisfy the authority check. This field is set to ‘1’ if the authority of the adopting program owner is used to satisfy the authority check. This field is set to ‘0’ if adopted authority was not used to satisfy the authority check. In addition, when this field is set to '0', the ADOPTING_PROGRAM_NAME field can contain the name of a program that is on the program invocation stack of the thread. If a program is listed, this program adopts the owners’ authority and would satisfy the authority check if authority was not available from another authority source in the thread. That is, excessive authority could be removed, and adopted authority used. If no program name is listed in the ADOPTING_PROGRAM_NAME field, then this indicates no program in the invocation stack would satisfy the authority check for the object. |
MULTIPLE_ADOPTING_
PROGRAMS_USED |
MLTADOPTPG | CHAR(1) Nullable
|
Indicates whether the owners of multiple programs that adopt contribute authority to the combined DETAILED_CURRENT_ADOPTED_AUTHORITY field. This field is set to '1' if multiple programs that adopt contributed and ‘0’ if no programs that adopt or only one program that adopts is used. |
ADOPTING_PROGRAM_NAME | ADOPTPGM | VARCHAR(10) Nullable
|
The name of the program that adopts the owners’ authority. If multiple adopting programs contribute to the accumulated DETAILED_CURRENT_ADOPTED_AUTHORITY for the object, the last program to contribute is listed and the MULTIPLE_ADOPTING_PROGRAMS_USED field is set to ‘1’. Adopting programs are checked for authority in order from the most recent invocation to the oldest invocation on the program invocation stack. |
ADOPTING_PROGRAM_SCHEMA | ADOPTLIB | VARCHAR(10) Nullable
|
The name of the library that contains the adopting program. |
ADOPTING_PROCEDURE_NAME | ADOPTPRC | VARCHAR(256) Nullable
|
The name of the adopting Integrated Language Environmet (ILE) program procedure. |
ADOPTING_PROGRAM_TYPE | ADOPTPGMT | VARCHAR(8) Nullable
|
The object type of the adopting program. |
ADOPTING_PROGRAM_
ASP_NAME |
ADOPTPGMA | VARCHAR(10) Nullable
|
The name of the auxiliary storage pool to which storage for the adopting program is allocated. |
ADOPTING_PROGRAM_
ASP_NUMBER |
ADOPTPGMAN | DECIMAL(5,0) Nullable
|
The number of the auxiliary storage pool to which storage for the adopting program is allocated. A value of 0 indicates *SYSBAS. |
ADOPTING_PROGRAM_
STATEMENT_NUMBER |
ADOPTPGMSN | DECIMAL(10,0) Nullable
|
The statement number of the adopting program. |
ADOPTING_PROGRAM_OWNER | ADOPTPGMOW | VARCHAR(10) Nullable
|
The name of the adopting program owner. The adopting program
owners’ authority is included in the authority checking algorithm of the system when the program in
the ADOPTING_PROGRAM_NAME field is on the program invocation stack. Note: The ability to
block adopted authority from previous invocations exists, by using the Use Adopted Authority
attribute of a program. This attribute can be changed by using the Change Program (CHGPGM) command.
When the Use Adopted Authority value of *NO is set on a program, this prevents any adopted authority
from previous invocations from being included in the authority checking algorithm of the
system.
|
CURRENT_ADOPTED_AUTHORITY | CURADPT | VARCHAR(8) Nullable
|
The authority value that the adopting program owner currently has to the object. The ADOPTED_AUTHORITY_SOURCE field must also be evaluated to determine where the adopting program owners’ authority to the object was found. If the DETAILED_CURRENT_ADOPTED_AUTHORITY field does not map to a system-defined object authority level, this field will be blank. See Authority field values. |
DETAILED_CURRENT_ADOPTED_
AUTHORITY |
DTLCURADPT | VARCHAR(99) Nullable
|
The detailed authority values that the adopting program owner currently has to the object. The ADOPTED_AUTHORITY_SOURCE field must also be evaluated to determine where the adopting program owners’ authority to the object was found. See Detailed authority field values. |
ADOPTED_AUTHORITY_SOURCE | ADOPTAUTSR | VARCHAR(50) Nullable
|
Where the system found the adopted authority that either
satisfied the authority check or caused the authority check to end unsuccessfully.
|
MOST_RECENT_
PROGRAM_INVOKED |
PGMINV | VARCHAR(10) Nullable
|
The name of the most recent program on the program invocation stack when the authority check was made. |
MOST_RECENT_
PROGRAM_SCHEMA |
PGMLIBINV | VARCHAR(10) Nullable
|
The name of the library that contains the most recent program invoked. |
MOST_RECENT_
MODULE |
MODINV | VARCHAR(30) Nullable
|
The name of the bound module within the most recently invoked ILE program. |
MOST_RECENT_
PROGRAM_PROCEDURE |
PGMPRC | VARCHAR(256) Nullable
|
The name of the most recently invoked ILE program procedure. |
MOST_RECENT_
PROGRAM_TYPE |
PGMTYP | VARCHAR(8) Nullable
|
The object type of the most recent program invoked. |
MOST_RECENT_
PROGRAM_ASP_NAME |
PGMASP | VARCHAR(10) Nullable
|
The name of the auxiliary storage pool to which storage for the most recent program is allocated. |
MOST_RECENT_
PROGRAM_ASP_NUMBER |
PGMASPN | DECIMAL(5,0) Nullable
|
The number of the auxiliary storage pool to which storage for the most recent program is allocated. A value of 0 indicates *SYSBAS. |
MOST_RECENT_
PROGRAM_STATEMENT_NUMBER |
PGMSTMN | DECIMAL(10,0) Nullable
|
The statement number of the most recent program. |
MOST_RECENT_USER_STATE_
PROGRAM_INVOKED |
USTPGM | VARCHAR(10) Nullable
|
The name of the most recent user state program on the program invocation stack when the authority check was made. A user state program is a program that is not part of the System State portion of the IBM i OS or the System State portion of an IBM product. Programs created by customers, programs created by application providers, and many products provided by IBM run in user state. |
MOST_RECENT_USER_STATE_
PROGRAM_SCHEMA |
USTLIB | VARCHAR(10) Nullable
|
The name of the library that contains the most recent user state program invoked. |
MOST_RECENT_USER_STATE_
MODULE |
USTMOD | VARCHAR(30) Nullable
|
The name of the bound module within the most recently invoked user state ILE program. |
MOST_RECENT_USER_STATE_
PROGRAM_PROCEDURE |
USTPGMPRC | VARCHAR(256) Nullable
|
The name of the most recently invoked user state ILE program procedure. |
MOST_RECENT_USER_STATE_
PROGRAM_TYPE |
USTPGMTYP | VARCHAR(8) Nullable
|
The object type of the most recent user state program invoked. |
MOST_RECENT_USER_STATE_
PROGRAM_ASP_NAME |
USTPGMASP | VARCHAR(10) Nullable
|
The name of the auxiliary storage pool to which storage for the most recent user state program is allocated. |
MOST_RECENT_USER_STATE_
PROGRAM_ASP_NUMBER |
USTPGMASPN | DECIMAL(5,0) Nullable
|
The number of the auxiliary storage pool to which storage for the most recent user state program is allocated. A value of 0 indicates *SYSBAS. |
MOST_RECENT_USER_STATE_
PROGRAM_STATEMENT_NUMBER |
USTPGMSN | DECIMAL(10,0) Nullable
|
The statement number of the most recent user state program. |
JOB_NAME | JOB_NAME | VARCHAR(10) Nullable
|
The job name of the job in which the authority check was made. |
JOB_USER | JOB_USER | VARCHAR(10) Nullable
|
The job user of the job in which the authority check was made. |
JOB_NUMBER | JOBNBR | CHAR(6) Nullable
|
The job number of the job in which the authority check was made. |
THREAD_ID | THREAD_ID | BIGINT Nullable
|
The thread ID of the currently running thread of the job in which the authority check was made. |
CURRENT_USER | CURUSR | VARCHAR(10) Nullable
|
The current user associated with the thread of the job in which the authority check was made. |
OBJECT_FILE_ID | OFILEID | BINARY(16) Nullable
|
The file ID of the path name. |
OBJECT_ASP_NAME | OASP | VARCHAR(10) Nullable
|
The name of the auxiliary storage pool to which storage for the object in the path name is allocated. |
OBJECT_ASP_NUMBER | OASPN | DECIMAL(5,0) Nullable
|
The number of the auxiliary storage pool to which storage for the object in the path name is allocated. A value of 0 indicates *SYSBAS. |
PATH_NAME | PATH_NAME | DBCLOB(16M)
CCSID 1200 Nullable
|
The path of the object whose authority was checked. This field contains information for document library objects (*DOC and *FLR object types), and objects in the "root" (/), QOpenSys, and user-defined file systems. This field will not be filled in for objects in libraries. |
PATH_REGION | PATHREGION | CHAR(2) Nullable
|
The country or region id for the path name. |
PATH_LANGUAGE | PATHLANG | CHAR(3) Nullable
|
The language id for the path name. |
ABSOLUTE_PATH_INDICATOR | ABSPATHIND | CHAR(1) Nullable
|
Indicates whether the path name of the object is an absolute path or a relative path. This field is set to ‘Y’ if the path name of the object begins with a delimiter (path name resolution starts at the "root" (/) directory). This field is set to ‘N’ if the path name of the object contains a relative path name. In addition, when this field contains 'N', the RELATIVE_DIRECTORY_FILE_ID field contains the File ID of the parent directory of the relative path which is used to form an absolute path name. |
RELATIVE_DIRECTORY_FILE_ID | RELDIRID | BINARY(16) Nullable
|
The relative directory file ID of the parent directory that contains the object in the PATH_NAME field. This field is set when the ABSOLUTE_PATH_INDICATOR field is ‘N’. |
Authority field values
The REQUIRED_AUTHORITY field, CURRENT_AUTHORITY field, and CURRENT_ADOPTED_AUTHORITY
field can contain one of the values listed below.
- *ALL - Allows all operations on the object except those that are limited to the owner or controlled by authorization list management authority. This value is made up of the following detailed authority values: *OBJEXIST, *OBJMGT, *OBJOPR, *OBJALTER, *OBJREF, *READ, *ADD, *DLT, *UPD, *EXECUTE.
- *CHANGE - Allows all operations on the object except those that are limited to the owner or controlled by object existence authority, object alter authority, object reference authority, and object management authority. This value is made up of the following detailed authority values: *OBJOPR, *READ, *ADD, *DLT, *UPD, *EXECUTE.
- *USE - Allows access to the object attributes and use of the object. The user cannot change the object. This value is made up of the following detailed authority values: *OBJOPR, *READ, *EXECUTE.
- *EXCLUDE - All operations on the object are prohibited.
Detailed authority field values
The DETAILED_REQUIRED_AUTHORITY field, DETAILED_CURRENT_AUTHORITY field, and
DETAILED_CURRENT_ADOPTED_AUTHORITY field can contain one or more of the values listed below.
- *OBJALTER: Object alter - provides authority to change the attributes of an object, such as adding or removing triggers and adding members for a database file.
- *OBJEXIST: Object existence - provides authority to control the object's existence and ownership.
- *OBJMGT: Object management - provides authority to specify security, to move or rename the object, and to add members if the object is a database file.
- *OBJOPR: Object operational - provides authority to look at the object's attributes and to use the object as specified by the data authorities that the user has to the object.
- *OBJREF: Object reference -provides authority to specify the object as the first level in a referential constraint.
- *ADD: Add - provides authority to add entries to the object.
- *DLT: Delete - provides authority to remove entries from the object.
- *EXECUTE: Execute - provides authority to run a program or search a library or directory.
- *READ: Read - provides authority to access the contents of the object.
- *UPD: Update - provides authority to change the content of existing entries in the object.
- *EXCLUDE: Exclude - all operations on the object are prohibited.
- *AUTLMGT: Authorization list management – the authority required to add, change or remove users and their authority from an Authorization List object.
- *OWNER: Ownership – the user owns the object and has all object and data authorities.