Start authority collection

The difference between authority collection for a user and authority collection for objects

• Authority collection for a user collects authority information for authority checks on objects that are performed when a job is running under the specified user.
• Authority collection for objects collects authority information for all authority checks on the specified objects regardless of the user the job is running under.

Starting authority collection for a user

Authority collection by user means that the authority collection is only active for the “current user profile” of the job (the thread effective user profile). Authority collection can be active for multiple users at the same time and an authority collection repository exists for each user. By default, the data that is collected is object level authority data for the user. Object level authority data is defined as private authorities for a user to an object (including authorities from an authorization list), group profile authority information, public authority, and program adopted authority. The intent of this support is to allow the customer to better secure their data objects with object level authority settings.

Starting authority collection for a group user profile can be done but the authority collection for this user takes effect only when the user profile (the group profile in this case) is the “current user profile” of the job (essentially, from an authority checking standpoint, the user profile is not a group profile in this situation). For example, if USR1 has a group profile of GRP2, and authority collection is started for GRP2, no authority data is logged when user USR1 is the current user of the job and GRP2 is in the group profile list. Authority collection for user profile GRP2 occurs if GRP2 is the current user of the job. In addition, starting authority collection for a user profile that owns a program or service program that adopts owner authority does not have authority data logged (unless this user profile is the current user of the job). For example, user profile OWN1 owns a program that is called PGM1 and this program adopts owner authority (OWN1 is the program owner). If STRAUTCOL is run for user profile OWN1, and PGM1 is called by user USR1, no authority data is logged under the OWN1 authority collection repository. If USR1 is specified on STRAUTCOL, the authority collection data would be logged for program PGM1, including the information that PGM1 adopts the owner’s authority. For group profile and adopted authority situations, significant authority collection information is logged to the authority collection repository of the current user when either the group or adopting program owner is used to satisfy an authority check.

The Start Authority Collection (STRAUTCOL) command specifying TYPE(*USRPRF) is used to start the authority collection for a specified user profile. The command provides options to collect information for objects in libraries, document library objects (*DOC and *FLR object types), and objects in the "root" (/), QOpenSys, and user-defined file systems.

For objects in libraries, you can select which libraries, objects (including generic names), and object types to include in the authority collection for the specified user. In addition, an Omit Library (OMITLIB) parameter is available to omit certain libraries and corresponding objects from the authority collection.

For document library objects and file system objects, STRAUTCOL provides an option to include information only about specific object types. While the collection itself cannot be restricted to particular objects, folders, or directories, the interfaces provided for analyzing a collection are fully capable of selecting and reporting data only for specific objects of interest.

The Detail (DETAIL) parameter on the STRAUTCOL command specifies the details that are used to determine whether an authority check is for a unique instance. One unique instance is collected for each check. The *OBJINF value indicates that the authority checking information is collected for each unique instance of the object level information that is associated with the authority check. Specifying this value results in the collection of object level unique authority checks regardless of the job that accesses the object and regardless of the unique code paths within the job. The *OBJJOB value indicates that the authority checking information is collected for each unique instance of the object level information that is associated with the authority check and each unique instance of the job information that is associated with the authority check. Specifying this value results in the collection of object and job level unique authority checks plus each unique code path within the job is collected. For examples, see the Start Authority Collection (STRAUTCOL) command.

Authority collection for a specified user can be started by using the STRAUTCOL TYPE(*USRPRF) command and ended by using the ENDAUTCOL TYPE(*USRPRF) command. Authority collection can be restarted for a user after it is ended by using the STRAUTCOL TYPE(*USRPRF) command. This provides the capability to collect more authority data when the authority collection is restarted.

Starting authority collection for objects

Authority collection by object occurs when an object has an authority collection value other than *NONE and authority collection for objects is active. The data that is collected is object level authority data for the user running at the time the authority check is performed on the object. Object level authority data is defined as private authorities for a user to an object (including authorities from an authorization list), group profile authority information, public authority, and program adopted authority. The intent of this support is to allow the customer to better secure their data objects with object level authority settings.

For information about an object's authority collection value, see Change an object's authority collection value.

The Start Authority Collection (STRAUTCOL) command specifying TYPE(*OBJAUTCOL) is used to start authority collection for objects. Authority information is collected for objects with an authority collection value other than *NONE. An object's authority collection value is set by using the Change Authority Collection (CHGAUTCOL) command. Authority collection for objects is ended by using the End Authority Collection (ENDAUTCOL) command specifying TYPE(*OBJAUTCOL). Ending authority collection for objects does not change the object’s authority collection value. Authority collection can be restarted for objects after it is ended by using the STRAUTCOL TYPE(*OBJAUTCOL) command.