General rules for object authorities on commands

Edit online

This table shows the general rules for object authorities on commands.

Command Referenced object Authority needed
For object For library
Change (CHG) with F4 (Prompt)7 Current values The current values are displayed if the user has authority to those values. *EXECUTE
Command accessing object in directory Directories in path prefix *X  
Directory when pattern is specified (* or ?) *R  
Creating object in directory Directories in path prefix *X  
Directory to contain new object *WX  
Copy (CPY) where to-file is a database file Object to be copied *OBJOPR, *READ *EXECUTE
CRTPF command, if CRTFILE (*YES) is specified *OBJOPR *EXECUTE
To-file, if CRTFILE (*YES) is specified1   *ADD, *EXECUTE
To-file, if it exists and new member is added *OBJOPR, *OBJMGT, *ADD, *DLT *ADD, *EXECUTE
To-file, if file and member exist and *ADD option is specified *OBJOPR, *ADD *EXECUTE
To-file, if file and member exist and *REPLACE option is specified *OBJOPR, *OBJMGT, *ADD, *DLT *EXECUTE
To-file, if it exists, a new member is added, and *UPDADD option is specified.8 *OBJOPR, *OBJMGT, *ADD, *UPD *EXECUTE
To-file, if file and member exist and *UPDADD option is specified.8 *OBJOPR, *ADD, *UPD *EXECUTE
Create (CRT) Object to be created2   *READ, *ADD
User profile that will own created object (either the user profile running the job or the user’s group profile) *ADD  
Create (CRT) if REPLACE(*YES) is specified 6, 9 Object to be created (and replaced)2 *OBJMGT, *OBJEXIST, *READ5 *READ, *ADD
User profile that will own created object (either the user profile running the job or the user's group profile) *ADD  
Display (DSP) or other operation using output file (OUTPUT(*OUTFILE)) Object to be displayed *USE *EXECUTE
Output file, if file does not exist3   *ADD, *EXECUTE
Output file, if file exists and new member is added and *REPLACE option specified and member did not previously exist *OBJOPR, *OBJMGT or *OBJALTER, *ADD, *DLT *ADD, *EXECUTE
Output file, if file exists and new member is added and *ADD option specified and member did not previously exist OBJOPR, *OBJMGT or *OBJALTER, *ADD *ADD, *EXECUTE
Output file, if file and member exist and *ADD option is specified *OBJOPR, *ADD *EXECUTE
Output file, if file and member exist and *REPLACE option is specified *OBJOPR, *OBJMGT or *OBJALTER, *ADD, *DLT *EXECUTE
Format file (QAxxxxx), if output file does not exist *OBJOPR  
Display (DSP) using *PRINT or Work (WRK) using *PRINT Object to be displayed *USE *EXECUTE
Output queue4 *READ *EXECUTE
Printer file (QPxxxxx in QSYS) *USE *EXECUTE
Save (SAV) or other operation using device description Device description *USE *EXECUTE
Device file associated with device description, such as QSYSTAP for the TAP01 device description *USE *EXECUTE
1
The user profile running the copy command becomes the owner of the to-file, unless the user is a member of a group profile and has OWNER(*GRPPRF). If the user's profile specifies OWNER(*GRPPRF), the group profile becomes the owner of the to-file. In that case, the user running the command must have *ADD authority to the group profile and the authority to add a member and write data to the new file. The to-file is given the same public authority, primary group authority, private authorities, and authorization list as the from-file.
2
The user profile running the create command becomes the owner of the newly created object, unless the user is a member of a group profile and has OWNER(*GRPPRF). If the user's profile specifies OWNER(*GRPPRF), the group profile becomes the owner of the newly created object. Public authority to the object is controlled by the AUT parameter.
3
The user profile that is running the display command becomes the owner of the newly created output file, unless the user is a member of a group profile and has OWNER(*GRPPRF). If the user's profile specifies OWNER(*GRPPRF), the group profile becomes the owner of the output file. Public authority to the output file is controlled by the CRTAUT parameter of the output file library.
4
If the output queue is defined as OPRCTL (*YES), a user with *JOBCTL special authority does not need any additional authority to the output queue. A user with *SPLCTL special authority does not need any additional authority to the output queue.
5
For device files, *OBJOPR authority is also required.
6
The REPLACE parameter is not available in the S/38 environment. REPLACE(*YES) is equivalent to using a function key from the programmer menu to delete the current object.
7
Authority to the corresponding (DSP) command is also required.
8
The *UPDADD option in only available on the MBROPT parameter of the CPYF command.
9
This does not apply to the REPLACE parameter on the CRTJVAPGM command.