Saving security data

This information describes the commands that save user profiles, private authorities, authorization lists, and authority holders.

Use the SAVSYS command or the Save Security Data (SAVSECDTA) command to save the following security data:

  • User profiles
  • Private authorities
  • Authorization lists
  • Authority holders
The system stores other security data with each object. The system saves this security data when it saves the object, as follows -
  • Public authority
  • Owner and owner authority
  • Primary group and primary group authority
  • Authorization list linked to object

To save security data, the command does not require that your system is in a restricted state. However, you cannot delete user profiles while the system saves security data. If you change user profiles or grant authority while you save security data, your saved information might not reflect the changes.

To reduce the size of a large user profile, take one or more of the following actions -

  • Transfer ownership of some objects to another user profile.
  • Remove the private authority to some objects for that user profile.
Note: Objects in the QSYS library are restored before authorization lists are available. Beginning with IBM i 7.3, authorization list links for objects in QSYS are saved and restored with the security data. If you use authorization lists to secure objects in the QSYS library on an earlier release, write a program to produce a file of those objects. Include this file in the save operation. If you restore the objects in QSYS for the earlier release, you need to re-create the associations between the objects and the authorization lists.

Saving private authorities

You can save private authorities for objects by using either of the following methods:
  • Use the SAVSYS or SAVESECDTA command. When you restore the data, specify the Restore User Profiles (RSTUSRPRF) and Restore Authority (RSTAUT) commands to restore the private authorities along with the data. Use RSTAUT when you are recovering an entire system.
  • Use any of the SAVxxx or SAVRSTxxx commands with the PVTAUT(*YES) parameter to save private authorities for objects. When you restore the objects, specify PVTAUT(*YES) on the RSTxxx command to restore the private authorities for those objects. Although saving private authorities increases the amount of time it takes to save the objects, it simplifies the recovery of the objects. Use the PVTAUT(*YES) parameter when you are restoring specific objects. Do not use the PVTAUT(*YES) parameter when you are recovering the entire system or large-scale user data.
Remember: You need save system (*SAVSYS) or all object (*ALLOBJ) special authority to save private authorities. You need *ALLOBJ special authority to restore private authorities.

QSRSAVO API

You can use the Save Objects List (QSRSAVO) API to save user profiles.