Authorization list security

You can group objects with similar security requirements using an authorization list.

An authorization list, conceptually, contains a list of users and the authorities that the users have for the objects secured by the list. Each user can have a different authority to the set of objects the list secures. When you give a user authority to the authorization list, the operating system actually grants a private authority for that user to the authorization list.

You can also use an authorization list to define public authority for the objects in the list. If the public authority for an object is set to *AUTL, the object gets its public authority from its authorization list.

The authorization list object is used as a management tool by the system. It actually contains a list of all objects that are secured by the authorization list. This information is used to build displays for viewing or editing the authorization list objects.

You cannot use an authorization list to secure a user profile or another authorization list. Only one authorization list can be specified for an object.

Only the owner of the object, a user with all object (*ALLOBJ) special authority, or a user with all (*ALL) authority to the object, can add or remove the authorization list for an object.

Objects in the system library (QSYS) can be secured with an authorization list. However, the name of the authorization list that secures an object is stored with the object. In some cases, when you install a new release of the operating system, all the objects in the QSYS library are replaced. The association between the objects and your authorization list will be lost. You can restore the association for these objects if you have saved security data from a previous release of IBM® i 7.3 or higher. Run RSTUSRPRF USRPRF(*NEW) and then RSTAUT to restore these associations.

See the topic Advantages of using an authorization list for examples of how to use authorization lists.