IBM Support

SETUSRBRM USAGE(*AUT) parameter value enhancements (IBM i 7.2 and later)

Question & Answer


Question

What is the purpose of the new value and how does it compare to the other 2 possible BRMS authority values -  *OPERATOR and *ADMIN?

Cause

Possible authority error when running BRMS activity such as message CPF6A14, Program defined by variable &4 cannot be called.

Answer

BRMS introduced the new *AUT value for command SETUSRBRM and parameter USAGE (IBM i 7.2 and later) to address potential security concerns. Existing user profiles that previously performed BRMS operations may require additional authority to continue functioning correctly due to security enhancements that set the *PUBLIC user authority to *EXCLUDE for BRMS functions.

You can grant the necessary authority using the SETUSRBRM command with the USAGE(*AUT) parameter.

Note: *SECADM authority is required to run the SETUSRBRM command.

Purpose and details of the *AUT value: 

  • The *AUT value provides specific authority to designated BRMS programs and service programs. It ensures users retain the appropriate level of access based on what they were originally assigned under the *ADMIN or *OPERATOR roles. For more information about the authority levels granted by *ADMIN and *OPERATOR, refer to the SETUSRBRM main document.
  • The new *AUT value provides a function distinct from *ADMIN. It does not replace or overlap with the authority structure of *ADMIN.
  • ​Once SETUSRBRM USAGE(*AUT) command is run, the authority assignment is stored in the BRMS database. Normally, it does not need to be run again — even after operating system upgrades or fix installations.
  • There is no supported method to report or list which user profiles that the SETUSRBRM *AUT command has been run for. Doing so would expose sensitive security information.

  • The SETUSRBRM command does not allow *ALL as a user profile value.
    Each profile requiring BRMS authority must be updated individually.

    This requirement also applies when BRMS authority is unintentionally revoked — for example, by running:

    • INZBRM OPTION(*SETAUT), or
    • Any other action that removes BRMS authority.

    Organizations may automate this process by developing a custom program to apply the *AUT value to all required users. IBM Consulting can also be engaged to assist with this work.

  • You may need to rerun *SETUSRBRM USAGE(AUT) if any of the following occur:

    • An older version of the QUSRBRM library is restored
    • The system is restored from backup
    • The user profile undergoes security changes (such as deletion and recreation)
    • The BRMS LPP is removed and reinstalled

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SSB2ES","label":"Backup Recovery and Media Services for IBM i"},"ARM Category":[{"code":"a8m0z000000cxZeAAI","label":"Authentication-\u003ERADIUS"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0;7.2.0;7.3.0;7.4.0;7.5.0"}]

Product Synonym

BRMS;IBM i;IBMi;

Document Information

Modified date:
04 May 2026

UID

ibm17256286

Page Feedback