Authorization lists

Like a group profile, an authorization list allows you to group objects with similar security requirements and associate the group with a list of users and user authorities.

Authorization lists provide an efficient way to manage the authority to similar objects on the system and aid in the recovery of security information.

Providing each user with explicit access to every object they need to work with might create a great deal of duplicated effort, because many users need to access the same group of objects. A much easier way to provide this access is to create authorization lists. Authorization lists consist of a list of users or groups, the type of authority (*USE, *CHANGE, and *EXCLUDE) for each user or group, and a list of objects to which that this list provides access.

For example, you can create an authorization list to contain a list of objects related to an inventory database. A user responsible for ordering new inventory items can be granted authority to see the contents of the database objects. Additionally, a user group in shipping and receiving needs to update this database as parts come in and out of stock. This group can have authority to change the contents of the objects.

An authorization list has these advantages:
  • Authorization lists simplify managing authorities. User authority is defined for the authorization list, not for the individual objects on the list. If a new object is secured by the authorization list, the users on the list gain authority to the object.
  • One operation can be used to give a user authority to all the objects on the list.
  • Authorization lists reduce the number of private authorities on the system. Each user has a private authority to one object, the authorization list. This gives the user authority to all the objects on the list. Reducing the number of private authorities in the system has the following advantages:
    • Reduces the size of user profiles.
    • Improves the performance when saving the system (SAVSYS) or saving the security data (SAVSECDTA).
  • Authorization lists provide a good way to secure files. If you use private authorities, each user will have a private authority for each file member. If you use an authorization list, each user will have only one authority. Also, by default files that are open cannot have authority granted to the file or revoked from the file. If you secure the file with an authorization list, you can change the authorities, even when the file is open.
  • Authorization lists provide a way to remember authorities when an object is saved. When an object is saved that is secured by an authorization list, the name of the authorization list is saved with the object. If the object is deleted and restored to the same system, it is automatically linked to the authorization list again. If the object is restored on a different system or logical partition, the authorization list is not linked, unless ALWOBJDIF(*ALL), ALWOBJDIF(*AUTL), or ALWOBJDIF(*COMPATIBLE) is specified on the restore command.

From a security management view, an authorization list is the preferred method to manage objects that have the same security requirements. Even when there are only a few objects that are secured by the list, there is still an advantage to using an authorization list instead of using private authorities on the object. Because the authorities are in one place (the authorization list), it is easier to change who is authorized to the objects. It is also easier to secure any new objects with the same security level authorities as the existing objects.

If you use authorization lists, you should not have private authorities on the object. Two searches of the users' private authorities are required during authority checking if the object is secured by an authorization list and has private authorities. The first search is for the private authorities on the object; the second search is for the private authorities on the authorization list.

Two searches require additional system resources and system performance can be impacted. If you use only the authorization list, only one search is performed. Also, because of the use of authority caching with the authorization list, the performance for the authority check will be the same as it is for checking only private authorities on the object.