Revoke Object Authority (RVKOBJAUT)

The Revoke Object Authority (RVKOBJAUT) command is used to take away specific (or all) authority for the named object(s) from one or more users named in the command, or to remove the authority of an authorization list for the named object(s). This command can be used by:

• The security officer
• An object's owner
• A user who has object management authority for the object to be revoked. Users who have object management authority can revoke only the explicit authority that they have.

• A user authorized to the Database Security Administrator function of IBM i (QIBM_DB_SECADM)

A user may not be able to grant or revoke authority for an object that has been allocated (locked) by another job. Authority cannot be revoked for an object that is currently in use.

Note: Caution should be used when changing the public authority on IBM-supplied objects. For example, changing the public authority on the QSYSOPR message queue to be more restrictive than *CHANGE will cause some system programs to fail. The system programs will not have enough authority to send messages to the QSYSOPR message queue. For more information, refer to the System i Security Reference, SC41-5302.

A user authorized to the Database Security Administrator function of IBM i (QIBM_DB_SECADM) has the authority to revoke other users from any object in the QSYS.lib file system. In addition, this user can remove an authorization list from an object.

Restrictions:

• Before this command is used to remove authorities to use a device, control unit, or line description, its associated device, control unit, or line must be varied on.
• Authority to use a device cannot be revoked if a user is currently signed on to the device.

  Note: Users can revoke their own authority to a device if they are currently signed onto that device. However, doing so may produce unpredictable results and is not advisable.

• For display stations or for work station message queues associated with the display station, if this command is not run from the device for which authorities are to be revoked, it should be preceded by the Allocate Object (ALCOBJ) command and followed by the Deallocate Object (DLCOBJ) command.
• Object type *DOC or *FLR cannot be specified.
• Document interchange support must be used.
• Object type *AUTL cannot be specified. The Change Authorization List Entry (CHGAUTLE) or Remove Authorization List Entry (RMVAUTLE) commands must be used. AUT (*AUTL) can be specified only with USER (*PUBLIC).
• Only a user with *ALL authority or the owner can remove the authorization list.
• You must have *USE authority to the auxiliary storage pool device if one is specified.

*** Security Risk ***

Revoking all authorities specifically given to a user for an object can result in the user having more authority than before the revoke operation. If a user has *USE authority for an object and *CHANGE authority on the authorization list that secures the object, revoking *USE authority results in the user having *CHANGE authority to the object.

Parameters

Object (OBJ)

Specifies the objects to have specific authority revoked. If *ALL is specified for the object name, a library name must be specified.

This is a required parameter.

Qualifier 1: Object

*ALL

All objects of the specified type (OBJTYPE) found in the search have specific authorities revoked. You must specify the name of a library when *ALL is specified for the object name.

generic-name

Specify the generic name of the objects that are to have specific authorities revoked.

A generic name is a character string of one or more characters followed by an asterisk (*); for example ABC*. The asterisk substitutes for any valid characters. A generic name specifies all objects with names that begin with the generic prefix for which the user has authority. If an asterisk is not included with the generic (prefix) name, the system assumes it to be the complete object name.

name

Specify the name of the object that is to have specific authorities revoked.

Qualifier 2: Library

*LIBL

All libraries in the library list for the current thread are searched until the first match is found.

*CURLIB

The current library for the thread is searched. If no library is specified as the current library for the thread, the QGPL library is searched. If the ASP device (ASPDEV) parameter is specified when this value is used, ASPDEV(*) is the only valid value.

*USRLIBL

If a current library entry exists in the library list for the current thread, the current library and the libraries in the user portion of the library list are searched. If there is no current library entry, only the libraries in the user portion of the library list are searched. If the ASP device (ASPDEV) parameter is specified when this value is used, ASPDEV(*) is the only valid value.

*ALL

All the libraries in the auxiliary storage pools (ASPs) specified for the ASP device (ASPDEV) parameter are searched.

*ALLUSR

All user libraries in the auxiliary storage pools (ASPs) defined by the ASP device (ASPDEV) parameter are searched.

User libraries are all libraries with names that do not begin with the letter Q except for the following:

#CGULIB     #DSULIB     #SEULIB
#COBLIB     #RPGLIB
#DFULIB     #SDALIB

Although the following libraries with names that begin with the letter Q are provided by IBM, they typically contain user data that changes frequently. Therefore, these libraries are also considered user libraries:

QDSNX       QRCLxxxxx   QUSRDIRDB   QUSRVI
QGPL        QSRVAGT     QUSRIJS     QUSRVxRxMx
QGPL38      QSYS2       QUSRINFSKR
QMGTC       QSYS2xxxxx  QUSRNOTES
QMGTC2      QS36F       QUSROND
QMPGDATA    QUSER38     QUSRPOSGS
QMQMDATA    QUSRADSM    QUSRPOSSA
QMQMPROC    QUSRBRM     QUSRPYMSVR
QPFRDATA    QUSRDIRCF   QUSRRDARS
QRCL        QUSRDIRCL   QUSRSYS

1. 'xxxxx' is the number of a primary auxiliary storage pool (ASP).
2. A different library name, in the format QUSRVxRxMx, can be created by the user for each previous release supported by IBM to contain any user commands to be compiled in a CL program for the previous release. For the QUSRVxRxMx user library, VxRxMx is the version, release, and modification level of a previous release that IBM continues to support.

*ALLAVL

All libraries in all available ASPs are searched.

*ALLUSRAVL

All user libraries in all available ASPs are searched. Refer to *ALLUSR for a definition of user libraries.

name

Specify the name of the library to be searched.

Object type (OBJTYPE)

Specifies the object type of the object that has specific authorities revoked. For a complete list of supported object types, position the cursor on this parameter while prompting the command and press F4.

This is a required parameter.

*ALL

All supported object types have specific authorities revoked.

object-type

Specify the object type that is to have specific authorities revoked.

ASP device (ASPDEV)

Specifies the auxiliary storage pool (ASP) device name where the library that contains the object (OBJ parameter) is located. If the object's library resides in an ASP that is not part of the library name space associated with the job, this parameter must be specified to ensure the correct object is used as the target of this command's operation.

*

The ASPs that are currently part of the job's library name space will be searched to locate the object. This includes the system ASP (ASP number 1), all defined basic user ASPs (ASP numbers 2-32), and, if the job has an ASP group, all independent ASPs in the ASP group.

*SYSBAS

The system ASP and all basic user ASPs will be searched to locate the object. No independent ASPs will be searched, even if the job has an ASP group.

name

Specify the device name of the independent ASP to be searched to locate the object. The independent ASP must have been activated (by varying on the ASP device) and have a status of AVAILABLE. The system ASP and basic user ASPs will not be searched.

Users (USER)

Specifies one or more users whose specific authorities to the named object are to be revoked.

Note: Either this parameter or the Authorization list (AUTL) parameter must be specified.

Authorities revoked by this command are related to those given by the Grant Object Authority (GRTOBJAUT) command. If users have public authority to an object because USER(*PUBLIC) was specified on the GRTOBJAUT command, that public authority is revoked when *PUBLIC is specified on this parameter. If users have specific authorities to an object because their names were specified on the GRTOBJAUT command, their names must be specified on this parameter to revoke the same authorities.

The authorities to be revoked are specified on the Authority (AUT) parameter.

Single values

*ALL

The authorities specified are to be taken away from all enrolled users of the system except the owner, whether they were publicly or explicitly authorized.

*PUBLIC

The specified authorities are taken away from users who do not have specific authority for the object, are not on the authorization list, and whose group has no authority. Any users who have specific authorities still keep their authorities to the object.

Other values (up to 50 repetitions)

name

Specify the name of the user profile of the user that is to have the specified authorities revoked. This parameter cannot be used to revoke public authority from specific users; only authorities that were specifically given to a user can be specifically revoked. A maximum of 50 user profile names can be specified.

Authority (AUT)

Specifies the authorities to be revoked from the users who do not have specific authority to the object, who are not on an authorization list, and whose user group does not have specific authority to the object.

Single values

*CHANGE

The user can perform all operations on the object except those limited to the owner or controlled by object existence (*OBJEXIST) and object management (*OBJMGT) authorities. The user can change and perform basic functions on the object. *CHANGE authority provides object operational (*OBJOPR) authority and all data authority. If the object is an authorization list, the user cannot add, change, or remove users.

*ALL

The user can perform all operations except those limited to the owner or controlled by authorization list management (*AUTLMGT) authority. The user can control the object's existence, specify the security for the object, change the object, and perform basic functions on the object. The user also can change ownership of the object.

*USE

The user can perform basic operations on the object, such as running a program or reading a file. The user cannot change the object. Use (*USE) authority provides object operational (*OBJOPR), read (*READ), and execute (*EXECUTE) authorities.

*EXCLUDE

The user cannot access the workstation object.

*AUTL

The public authority of the authorization list specified on the AUTL parameter is used for the public authority for the object.

Note: You can specify AUT(*AUTL) only when USER(*PUBLIC) is also specified.

Other values (up to 10 repetitions)

*OBJALTER

Object alter authority provides the authority needed to alter the attributes of an object. If the user has this authority on a database file, the user can add and remove triggers, add and remove referential and unique constraints, and change the attributes of the database file. If the user has this authority on an SQL package, the user can change the attributes of the SQL package. This authority is currently only used for database files and SQL packages.

*OBJMGT

Object management authority provides the authority to The security for the object, move or rename the object, and add members to database files.

*OBJEXIST

Object existence authority provides the authority to control the object's existence and ownership. If a user has special save system authority (*SAVSYS), object existence authority is not needed to perform save restore operations on the object.

*OBJOPR

Object operational authority provides authority to look at the description of an object and use the object as determined by the data authority that the user has to the object.

*OBJREF

Object reference authority provides the authority needed to reference an object from another object such that operations on that object may be restricted by the other object. If the user has this authority on a physical file, the user can add referential constraints in which the physical file is the parent. This authority is currently only used for database files.

Data authorities

*ADD

Add authority provides the authority to add entries to an object (for example, job entries to an queue or records to a file).

*DLT

Delete authority provides the authority to remove entries from an object.

*EXECUTE

Execute authority provides the authority needed to run a program or locate an object in a library.

*READ

Read authority provides the authority needed to get the contents of an entry in an object or to run a program.

*UPD

Update authority provides the authority to change the entries in an object.

Authorization list (AUTL)

Specifies the authorization list that is revoked from the object specified for the Object (OBJ) parameter. If public authority in the object is *AUTL, it is changed to *EXCLUDE.

Note: Either this parameter or the Users (USER) parameter must be specified. If this parameter is specified, the AUT parameter is ignored.

name

Specify the name of the authorization list.

Examples

Example 1: Removing Authority From All Users Except Program Owner

RVKOBJAUT   OBJ(ARLIB/PROG1)  OBJTYPE(*PGM)  USER(*ALL)

This command removes the authorities (AUT was not specified; *CHANGE is assumed) from all users who were either explicitly or publicly authorized, except the owner, for the program (*PGM) named PROG1 located in the library named ARLIB.

Example 2: Removing Object Owner's Authority to Delete a Program

RVKOBJAUT   OBJ(TSMITHPGM/MITHLIB)  OBJTYPE(*PGM)
            USER(TMSMITH)  AUT(*OBJEXIST)

This command removes the object owner's (TMSMITH) authority to delete a program (TSMITHPGM) in his library (SMITHLIB). The object owner might do this to ensure that the object is not deleted by mistake. If the owner ever wants to delete the object, object existence authority for the object can be granted by using the Grant Object Authority (GRTOBJAUT) command).

Example 3: Removing *DLT and *UPD Authorities

RVKOBJAUT   OBJ(FILEX)  OBJTYPE(*FILE)
            USER(HEANDERSON)  AUT(*DLT *UPD)

This command removes delete and update authorities for the file named FILEX from the user HEANDERSON.

Example 4: Removing *OBJEXIST Authority

RVKOBJAUT   OBJ(ARLIB/ARJOBD)  OBJTYPE(*JOBD)  USER(RLJOHNSON)
            AUT(*OBJEXIST)

This command removes the object existence authority for the object named ARJOBD from the user RLJOHNSON. ARJOBD is a job description that is located in the library named ARLIB.

Example 5: Removing Specific Authorities

RVKOBJAUT   OBJ(FILEX)  OBJTYPE(*FILE)  AUTL(FILEUSERS)

This command removes specific authorities for the file named FILEX from the users in the authorization list FILEUSERS.

Error messages

*ESCAPE Messages

CPF22A0

Authority of *AUTL is allowed only with USER(*PUBLIC).

CPF22A1

OBJTYPE(*AUTL) not valid on this command.

CPF22A2

Authority of *AUTL not allowed for object type *USRPRF.

CPF22A3

AUTL parameter not allowed for object type *USRPRF.

CPF22A4

*EXCLUDE cannot be revoked from *PUBLIC.

CPF22A5

Object &1 in &3 type *&2 not secured by authorization list &4.

CPF22DA

Operation on file &1 in &2 not allowed.

CPF2207

Not authorized to use object &1 in library &3 type *&2.

CPF2208

Object &1 in library &3 type *&2 not found.

CPF2209

Library &1 not found.

CPF2210

Operation not allowed for object type *&1.

CPF2211

Not able to allocate object &1 in &3 type *&2.

CPF2216

Not authorized to use library &1.

CPF2224

Not authorized to revoke authority for object &1 in &3 type *&2.

CPF2227

One or more errors occurred during processing of command.

CPF2236

AUT input value not supported.

CPF2243

Library name &1 not allowed with OBJ(generic name) or OBJ(*ALL).

CPF2253

No objects found for &1 in library &2.

CPF2254

No libraries found for &1 request.

CPF2273

Authority may not have been changed for object &1 in &3 type *&2 for user &4.

CPF2283

Authorization list &1 does not exist.

CPF9804

Object &2 in library &3 damaged.

*STATUS Messages

CPF2256

Authority not revoked from all objects or all users.