Start of change

IFS_OBJECT_PRIVILEGES table function

The IFS_OBJECT_PRIVILEGES table function returns a row for every user authorized to the object identified by the path name, along with their associated object and data authorities.

This information is similar to the information available through the Display Authority (DSPAUT) CL command and the Qp0lGetAttr()--Get Attributes API.

Authorization: The user needs either *ALLOBJ authority or the following authorities:
  • For objects not in the QSYS.LIB file system:
    • For each directory included in the path name prior to the object name, *X
    • For the object, *OBJMGT
  • For objects in the QSYS.LIB file system:
    • For each directory included in the path name prior to the object name, *X
    • For a *MBR object, *RX and *OBJMGT
    • For all other object types, *OBJMGT
Read syntax diagramSkip visual syntax diagram IFS_OBJECT_PRIVILEGES ( PATH_NAME => path-name,IGNORE_ERRORS => ignore-errors)
path-name
An expression that returns the path name identifying the object. A relative path name is relative to the current directory. If an absolute path name is not specified, the current working directory is used in combination with the relative path name to resolve to the object. If the last element of the path is a symbolic link, the privilege information will be for the symbolic link itself.
ignore-errors

A character or graphic string expression that identifies what to do when an error is encountered.

NO

An error is returned.

YES
A warning is returned.
No row is returned when an error is encountered. This is the default.

The result of the function is a table containing rows with the format shown in the following table. All the columns are nullable.

Table 1. IFS_OBJECT_PRIVILEGES table function
Column Name Data Type Description
PATH_NAME DBCLOB(16M) CCSID 1200 The full path name of the object.
OBJECT_TYPE VARCHAR(8) The type of the object.
OWNER VARCHAR(10) The user profile that owns the object.

Contains the null value if no owner is available.

PRIMARY_GROUP VARCHAR(10) The name of the user profile that is the primary group of the object. Can contain the following special value:
*NOUSRPRF
This special value is used by the Network File System to indicate that there is no user profile on the local server on the IBM i with a group ID (GID) matching the GID of the remote object.

Contains the null value if the object has no primary group.

AUTHORIZATION_LIST VARCHAR(10) The name of the authorization list if the object is secured by an authorization list.

Contains the null value if the object is not secured by an authorization list.

AUTHORIZATION_NAME VARCHAR(10) User profile name for this row. Can contain the following special values:
*NOUSRPRF
The authorities of either the owner or the primary group of the object for which the profile name could not be determined. This value is used by the Network File System only. It indicates that the user ID (UID) or the group ID (GID) for the remote object does not match any profile on the local server on the IBM i with that UID or GID.
*PUBLIC
This row contains the public authority for the object.
DATA_AUTHORITY VARCHAR(12) The operation, use, or access that AUTHORIZATION_NAME has to the object. Contains one of the following special values:
*AUTL
The public authority specified in the authorization list used by this object is used.
*EXCLUDE
All operations on the object are prohibited.
*NONE
The user does not have any data authorities.
*R
Allows access to the object attributes.
*RW
Allows access to the object attributes and allows the object to be changed. The user cannot use the object.
*RWX
Allows all operations on the object except those that are limited to the owner or controlled by the object rights.
*RX
Allows access to the object attributes and use of the object. The user cannot change the object.
*W
Allows the object to be changed.
*WX
Allows use of the object and allows the object to be changed. The user cannot access the object attributes.
*X
Allows the use of the object.
USER DEFINED
The specific data authorities do not match any of the predefined authority levels.
OBJECT_OPERATIONAL VARCHAR(3) Indicates the object operational authority for AUTHORIZATION_NAME.
NO
The user does not have this authority.
YES
The user has this authority.
OBJECT_MANAGEMENT VARCHAR(3) The object management authority for AUTHORIZATION_NAME.
NO
The user does not have this authority.
YES
The user has this authority.
OBJECT_EXISTENCE VARCHAR(3) The object existence authority for AUTHORIZATION_NAME.
NO
The user does not have this authority.
YES
The user has this authority.
OBJECT_ALTER VARCHAR(3) The object alter authority for AUTHORIZATION_NAME.
NO
The user does not have this authority.
YES
The user has this authority.
OBJECT_REFERENCE VARCHAR(3) The object reference authority for AUTHORIZATION_NAME.
NO
The user does not have this authority.
YES
The user has this authority.
DATA_READ VARCHAR(3) The data read authority for AUTHORIZATION_NAME.
NO
The user does not have this authority.
YES
The user has this authority.
DATA_ADD VARCHAR(3) The data add authority for AUTHORIZATION_NAME.
NO
The user does not have this authority.
YES
The user has this authority.
DATA_UPDATE VARCHAR(3) The data update authority for AUTHORIZATION_NAME.
NO
The user does not have this authority.
YES
The user has this authority.
DATA_DELETE VARCHAR(3) The data delete authority for AUTHORIZATION_NAME.
NO
The user does not have this authority.
YES
The user has this authority.
DATA_EXECUTE VARCHAR(3) The data execute authority for AUTHORIZATION_NAME.
NO
The user does not have this authority.
YES
The user has this authority.

Example

  • List all the authorities for all objects in the /usr directory.
    WITH OBJS AS (SELECT PATH_NAME 
             FROM TABLE (QSYS2.IFS_OBJECT_STATISTICS(START_PATH_NAME => '/usr'))) 
      SELECT * FROM OBJS, TABLE(QSYS2.IFS_OBJECT_PRIVILEGES(PATH_NAME));
End of change