Question & Answer
Question
How do you find Authorized User Entries for a User Profile?
Answer
This document discusses how to find Authorized User Entries for a user profile. These are Authority entries for objects a profile owns that have private authorities for other users on the System.
From a PRTPRFINT report, the procedure explained below, finds authority entries for the Percent of Authorized User Entries column:
The IFS_OBJECT_PRIVILEGES table function returns a row for every user authorized to the object identified by the path name, along with their associated object and data authorities.
This information is similar to the information available through the Display Authority (DSPAUT) CL command and the Qp0lGetAttr()--Get Attributes API.
Authorization: The caller must have:
- For objects not in the QSYS.LIB file system:
- For each directory included in the path name prior to the object name, *X
- For the object, *OBJMGT
- For objects in the QSYS.LIB file system:
- For each directory included in the path name prior to the object name, *X
- For a *MBR object, *RX and *OBJMGT
- For all other object types, *OBJMGT
For IFS Objects:
To get a listing of the all IFS objects owned by a user for which other users on the system have a private authority:
NOTE: The following SQLs can take a very long time to complete depending on the number of objects that are owned by the user profile and the number of objects in the specified path.
1) Open the ACS Run SQL Scripts tool
2) Run the following SQL:
WITH OBJS AS (
SELECT PATH_NAME
FROM TABLE (
QSYS2.IFS_OBJECT_STATISTICS(START_PATH_NAME => '/home', SUBTREE_DIRECTORIES => 'YES') -- Specify the directory name
)
)
SELECT *
FROM OBJS,
TABLE (
QSYS2.IFS_OBJECT_PRIVILEGES(PATH_NAME)
)
WHERE OWNER = 'V6CASTIL' -- Specify the User ID that owns the Objects.
AND authorization_name <> 'V6CASTIL' -- Specify the User ID that owns the Objects.
AND authorization_name <> '*PUBLIC'
NOTES:
- Specify the Name of the User ID that owns the objects and the starting Path in the IFS.
- The users listed under the Authorization Name column, have a private authority entry for objects owned by the user listed on the Owner column.
- If the specified path resides on an iASP, make sure that you SQL Connection Properties are using a connection to the storage pool.
To programmatically remove those private authorities, you can follow the steps below:
<<<<< The sample SQL programs are provided "AS IS", without warranty of any kind from IBM >>>>>>
1) Open the ACS Run SQL Scripts tool
2) Run the following SQL to create a table with the Private Authorities:
CREATE TABLE V6CASTIL/AUTUSRE AS -- Name of file and library to create.
(WITH OBJS AS (
SELECT PATH_NAME
FROM TABLE (
QSYS2.IFS_OBJECT_STATISTICS(START_PATH_NAME => '/home/v6castil', SUBTREE_DIRECTORIES => 'YES') -- Specify the directory name
)
)
SELECT table.*
FROM OBJS,
TABLE (
QSYS2.IFS_OBJECT_PRIVILEGES(PATH_NAME)
) AS table
WHERE OWNER = 'V6CASTIL' -- Specify the User ID that owns the Objects.
AND authorization_name <> 'V6CASTIL' -- Specify the User ID that owns the Objects.
AND authorization_name <> '*PUBLIC')
WITH DATANOTES
- The previous command will create a file called AUTUSRE in library V6CASTIL, adjust the name of the file and library as needed.
- The previous command will collect data from the path /home/v6casttil, adjust the path as needed
- The previous SQL will collect Private Authorities for objects owned by user profile V6CASTIL, adjust the user profile on the SQL.
- If the specified path resides on an iASP, make sure that you SQL Connection Properties are using a connection to the storage pool.
Now, that a file with the results has been created, run the following SQL to remove all private authorities for objects that are owned by the user profile:
1) Open the ACS Run SQL Scripts tool
2) Run the following SQL:
WITH TEMPAUT (PATH_NAME, AUTHORIZATION_NAME) AS (
SELECT PATH_NAME,
AUTHORIZATION_NAME
FROM V6CASTIL/AUTUSRE -- Name of TABLE Created on previous step
)
SELECT PATH_NAME,
AUTHORIZATION_NAME,
QSYS2.QCMDEXC('CHGAUT OBJ(''' || PATH_NAME || ''') USER(' || AUTHORIZATION_NAME || ') DTAAUT(*NONE) OBJAUT(*NONE)')
AS "Completion?"
FROM TEMPAUT;
NOTES:
- The SQL will remove all private authorities for objects owned by the user profile. Removing those Authorities may result on authority errors if they were required by the end users. Make sure that the end users are authorized to those objects if needed via PUBLIC Authorities if the end users require access to the objects.
- The SQL has no confirmation screen and will programmatically remove all private authorities for the objects
- A '1' on the Completion column indicates that the CHGAUT command completed normally, a '-1' indicates the it failed.
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"TS015578227","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"and future releases;7.3.0;7.4.0;7.5.0"}]
Product Synonym
MCH2804;User Profile; PRTPRFINT; AUINTERNALS
Was this topic helpful?
Document Information
Modified date:
07 November 2025
UID
ibm17127485