Resource security

The ability to access an object is called authority. Resource security on the IBM® i operating system enables you to control object authorities by defining who can use which objects and how those objects can be used.

You can specify detailed authorities, such as adding records or changing records. Or you can use the system-defined subsets of authorities: *ALL, *CHANGE, *USE, and *EXCLUDE.

Files, programs, and libraries are the most common objects requiring security protection, but you can specify authority for any object on the system. The following list describes the features of resource security:

Group profiles
A group of similar users can share the same authority to use objects.
Authorization lists
Objects with similar security needs can be grouped in one list. Authority can be granted to the list rather than to the individual objects.
Object ownership
Every object on the system has an owner. Objects can be owned by an individual user profile or by a group profile. Correct assignment of object ownership helps you manage applications and delegate responsibility for the security of your information.
Primary group
You can specify a primary group for an object. The primary group’s authority is stored with the object. Using primary groups may simplify your authority management and improve authority checking performance.
Library authority
You can put files and programs that have similar protection requirements into a library and restrict access to that library. This is often easier than restricting access to each individual object.
Directory authority
You can use directory authority in the same way that you use library authority. You can group objects in a directory and secure the directory rather than the individual objects.
Object authority
In cases where restricting access to a library or directory is not specific enough, you can restrict authority to access individual objects.
Public authority
For each object, you can define what kind of access is available for any system user who does not have any other authority to the object. Public authority is an effective means for securing information and provides good performance.
Adopted authority
Adopted authority adds the authority of a program owner to the authority of the user running the program. Adopted authority is a useful tool when a user needs different authority for an object, depending on the situation.
Authority holder
An authority holder stores the authority information for a program-described database file. The authority information remains, even when the file is deleted. Authority holders are commonly used when converting from the System/36, because System/36 applications often delete files and create them again.
Field level authority
Field level authorities are given to individual fields in a database file. You can use SQL statements to manage this authority.