Analyze authority collection data

The authority collection data can be analyzed to help you secure the objects in an application.

The detailed required authority value that is returned in the DETAILED_REQUIRED_AUTHORITY field by the authority collection views is a key piece of information available to help the security administrator or application owner better secure the object. The detailed required authority value represents the authority that the system requires to pass the authority check against the object. By analyzing the detailed required authority value from every authority collection entry for a specific object, you can determine the minimum level of authority that can be granted to an object and still allow the application to run successfully.

To generate the authority collection entries, you must run the application to completion taking into account all code paths within the application. For example, if the application has special processing for end of quarter or year end, you must consider these code paths along with the normal runtime processing within the application. After the authority collection entries are generated, the detailed required authority values from the authority collection determine what authority the user needs to run the application successfully. If the detailed required authority value from all authority collection entries is less than the users current authority, the excess authority can be revoked for this user (or group or *PUBLIC) to set the authority to the lowest possible value and better secure the object.

Two authority collection values that are returned by the authority collection views, DETAILED_CURRENT_AUTHORITY and DETAILED_CURRENT_ADOPTED_AUTHORITY, provide the authority values available in the job at the time of the authority check. The authority available in the job comes from the user’s authority, the authority from any group user profiles, public authority, and adopted authority from the owner of currently running programs or service programs in the job. The AUTHORITY_SOURCE and ADOPTED_AUTHORITY_SOURCE values that are returned by the view indicate the source of the authority data that is logged in each authority collection entry.