Flowchart 6: How group authority is checked

Authority from one or more of the user's groups might be accumulated to find sufficient authority for the object being accessed. For example, WAGNERB needs *CHANGE authority to the CRLIM file. *CHANGE authority includes *OBJOPR, *READ, *ADD, *UPD, *DLT, and *EXECUTE. Table 1 shows the authorities for the CRLIM file:

WAGNERB needs both DPT506 and DPT702 to get sufficient authority to the CRLIM file. DPT506 is missing *DLT authority, and DPT702 is missing *ADD authority.

Flowchart 6 on page Figure 1 shows the steps in checking group authority.

1. The system determines if the group has *ALLOBJ authority. If it does, then the group is authorized. If it does not, authority checking proceeds to Step 2.
2. The group does not have *ALLOBJ authority so the system sets the object that is being checked to be equal to the original object.
3. After the system sets the object to the original, it checks owner authority. (See Flowchart 4) If authority is sufficient, then the group is authorized. If the authority is not sufficient, then the authority check goes to Step 11. If the authority is not found, then the authority check proceeds to Step 4.
4. The owner authority is not found so the system checks if the group is the object's primary group.
   Note: If the user is signed on as the profile that is the primary group for an object, the user cannot receive authority to the object through the primary group.
   If the group is the object's primary group, then the authority check proceeds to Step 5. If the group is not the object's primary group, then authority check proceeds to Step 6.
5. The group is the object's primary group so the system checks and tests the primary group authority. If primary group authority is sufficient, then the group is authorized. If primary group authority is not found, then the authority check goes to Step 7. If the primary group authority is insufficient, then the authority check goes to Step 11
6. The group is not the object's primary group so the system looks up the private authorities in the group profile. If authority is found, then authority checking goes to Step 10. If authority is not found, then authority checking proceeds to Step 7.
7. No authority is found for the private authorities for the group profile so the system checks to see if the object is secured by an authorization list. If the object is secured by an authorization list, then the authority check proceeds to Step 8. If the object is not secured by an authorization list, then the authority check goes to Step 11.
8. The object is secured by an authorization list so the system set the object to be checked equal to the authorization list and authority check returns to Step 3.
9. The user belongs to another group profile so the system sets the profile to the next group profile and returns to Step 1 to start the authority checking process over again.
10. Authority is found for private authorities within the group profile so the private authorities are checked and tested in the group profile. If authorities are sufficient, then the group profile is authorized. If it is not sufficient, then the authority check goes to Step 11.
11. Authority is not found or is insufficient so the system checks to see if the users is associated with another group profile. If the user does belong to another group profile, then the system goes to Step 9. If the user does not belong to another group profile, then the system returns to the calling flowchart with insufficient authority or no authority found.