Flowchart 5: Fast path for user authority checking

Flowchart 5 shows the fast path for testing user authority without searching private authorities.

Figure 1. Flowchart 5: Fast path for user authority
: Fast path for user authority
Flowchart 5 notes:
  1. Authority is considered less than public if any authority that is present for *PUBLIC is not present for another user. In the example shown in Table 1, the public has *OBJOPR, *READ, and *EXECUTE authority to the object. WILSONJ has *EXCLUDE authority and does not have any of the authorities the public has. Therefore, this object does have private authority less than its public authority. (OWNAR also has less authority than the public, but owner authority is not considered private authority.)
    Table 1. Public versus private authority
    Authority Users
    OWNAR DPTMG WILSONJ *PUBLIC
    Object Authorities:        
    *OBJOPR   X   X
    *OBJMGT X      
    *OBJEXIST        
    *OBJALTER        
    *OBJREF        
    Data Authorities        
    *READ   X   X
    *ADD   X    
    *UPD   X    
    *DLT   X    
    *EXECUTE   X   X
    *EXCLUDE     X  
  2. This path provides a method for using public authority, if possible, even though private authority exists for an object. The system tests to make sure that nothing later in the authority checking process might deny access to the object. If the result of these tests is Sufficient, searching private authorities can be avoided.

Description of Flowchart 5: Fast path for user authority

This flowchart shows the fast path for testing user authority without searching private authorities.
  1. The system determines if there are any private authorities to the object being checked. If there are private authorities to the object, then the authority check proceeds to Step 2. If there is no private authority, the authority check proceeds to Step 3.
  2. If private authorities exist, then the system determines if the object has private authorities that are less than its public authority. (See note 1.) If the object does have private authorities that are less than its public authority, then the system returns to the calling flowchart with no authority or insufficient authority found. If the object does not have private authorities that are less than its public authority, (See note 2), then the authority check proceeds to Step 3.
  3. If the object does not have any private authorities or the object does not have private authorities that are less than its public authority, then the system determine if the public authority is sufficient. If the public authority is sufficient, then the authority check proceeds to Step 4. If the public authority is insufficient, then system returns to the calling flowchart with no authority or insufficient authority found.
  4. If the public authority is sufficient, then the system determines if the object owner's authority is sufficient. If the object owner's authority is sufficient, then the authority check proceeds to Step 5. If the object owner's authority is insufficient, then system returns to the calling flowchart with no authority or insufficient authority found.
  5. If the object owner's authority is sufficient, then the system determines if the object's primary group authority is sufficient. If the object's primary group authority is sufficient, then the authority check proceeds to Step 6. If object's primary group authority is insufficient, then the system returns to the calling flowchart with no authority or insufficient authority found.
  6. If the object's primary group authority is sufficient, then the system determines if the object is secured by an authorization list. If the object is secured by an authorization list, then the system returns to the calling flowchart with no authority or insufficient authority found. If the object is not secured by an authorization list, then the user is authorized to the object.