IBM Support

Removing Private Authorities and Replacing them with Authorization List using a program.

Question & Answer


Question

Having too many Private Authorities on the System can affect performance of the SAVSECDTA command. This document provides a sample program that replaces the Private Authorities with an Authorization List.

Answer


The procedure listed below allows a user to remove Private Authorities from objects in the system and replace them with an Authorization List.

The sample programs read the records from an Outfile and first will assign an Authorization List to the object and then it removes the Private Authorities for a user.

The sample programs use the information that is created as part of running the Retrieve private authorities (RTVPRVAUT) command.

This tool is described in document Tool to List Private Authorities.

Step 1

Create an Authorization List that will now be used to secure the objects:

CRTAUTL AUTL(AUTL1) TEXT('Authorization List to Secure Objects')

Where AUTL1 is the name of the Authorization List that will be used by the sample programs.

Step 2

Use the Edit Authorization list command to add the users that you are removing the Private Authorities from and assign them with the proper authorities required for them.

EDTAUTL AUTL(AUTL1)

Step 3

Run the Retrieve private authorities (RTVPRVAUT) command for the user that you will be removing the Private Authorities.

Type RTVPRVAUT and Press F4

User profile name  . . . . . . . USRPRF         USER1                    
Object authorities output file   TOFILEA        QOBJPRVAUT          
  Library  . . . . . . . . . . .                  *CURLIB          
  Member . . . . . . . . . . . . OUTMBRA        *FIRST              
  Replace or add records . . . . MBROPTA        *REPLACE                
IFS authorities output file  . . TOFILEB        QIFSPRVAUT          
  Library  . . . . . . . . . . .                  *CURLIB          
  Member . . . . . . . . . . . . OUTMBRB        *FIRST              
  Replace or add records . . . . MBROPTB        *REPLACE                
Delete user spaces . . . . . . . DLTSURSPC      *YES


Where USER1 is the name of the user that you are going to Retrieve the Private Authorities. Make sure that you replace the Library name with a library on your system. The command will create two files:

The QOBJPRVAUT contains all of the Private Authorities for the user for Library Type Objects.
The QIFSPRVAUT contains all of the Private Authorities for the user for Objects in the IFS.

Note 1: This Step needs to be done one user at a time, once you have removed Private Authorities for a user, you need to run the RTVPRVAUT command again for other users. We would recommend that the files QOBJPRVAUT and QIFSPRVAUT are deleted or cleared once the process has completed for each user.

Step 4

Write a CL that reads in the records in each file and replaces the Private Authorities with the Authorization list create in Step 1.

 
Caution: This code is not supported by IBM, and IBM does not accept any responsibility for use of this sample code. Removing Private Authorities from users might cause applications to stop working.

CLP Sample Program for Removing Private Authorities from Library Type Objects:

PGM  PARM(&USER &AUTL &LIB1)                        
 DCL VAR(&USER) TYPE(*CHAR) LEN(10)                
 DCL VAR(&AUTL) TYPE(*CHAR) LEN(10)                
 DCL VAR(&LIB1) TYPE(*CHAR) LEN(10)                
 DCLF       FILE(LIBRARY/QOBJPRVAUT)              
 MONMSG     MSGID(CPF0000)                          
 MONMSG     MSGID(CPA0000)                          
 NEWRECORD:  RCVF                                  
 MONMSG     MSGID(CPF0864) EXEC(GOTO CMDLBL(END))  
 GRTOBJAUT  OBJ(&LIB1/&L1OBJNAME) OBJTYPE(*ALL) +  
            AUTL(&AUTL)                            
 RVKOBJAUT  OBJ(&LIB1/&L1OBJNAME) OBJTYPE(*ALL) +  
            USER(&USER) AUT(*ALL)                  
 GOTO       CMDLBL(NEWRECORD)                      
END:        ENDPGM  

                                         
Where LIBRARY is the name of the library where the program OBJAUTRVK resides and LIB1 is the name of the Library that you will be replacing the Private Authorities for the user.

Compile the Program.

To call the program, use the following command:

CALL PGM(LIBRARY/OBJAUTRVK) PARM(USER1 AUTL1 LIB1)

Where LIBRARY is the name of the library where the program resides. OBJAUTRVK is the name of the program, USER1 is the name of the user that we will remove the private authorities, AUTL1 is the name of the Authorization list created in Step 1 and LIB1 is the name of the library where the objects reside.

Note 1: Although the file QOBJPRVAUT contains a list of Private Authorities for all libraries in the system, it is not recommended that you remove all private authorities for any user.

Note 2: Keep in mind that the program will read each one of the records in the file and will execute the commands GRTOBJAUT and RVKOBJAUT for each record. The process can be lengthy if there are many objects are in the file. You should consider running the program in Batch Mode.

Note 3: The commands GRTOBJAUT and RVKOBJAUT require to obtain an exclusive lock on the objects so it is recommended that the procedure is performed while in restricted state or when there is no jobs that may hold locks on the objects.

CLP Sample Program for Removing Private Authorities IFS Objects:

PGM  PARM(&USER &AUTL)                                    
 DCL VAR(&USER) TYPE(*CHAR) LEN(10)                        
 DCL VAR(&AUTL) TYPE(*CHAR) LEN(10)                        
 DCLF       FILE(LIBRARY/QIFSPRVAUT)                      
 MONMSG     MSGID(CPF0000)                                
 MONMSG     MSGID(CPA0000)                                
 NEWRECORD:  RCVF                                          
 MONMSG     MSGID(CPF0864) EXEC(GOTO CMDLBL(END))          
 CHGAUT     OBJ(&L2PATH) AUTL(&AUTL)          
 CHGAUT     OBJ(&L2PATH) USER(&USER) DTAAUT(*NONE) +      
            OBJAUT(*NONE)                                  
 GOTO       CMDLBL(NEWRECORD)                              
END:        ENDPGM  

Where LIBRARY is the name of the library where the program IFSAUTRVK resides.

Compile the Program.

To call the program, use the following command:

CALL PGM(LIBRARY/IFSAUTRVK) PARM(USER1 AUTL1)

Where LIBRARY is the name of the library where the program resides. IFSAUTRVK is the name of the program, USER1 is the name of the user that we will remove the private authorities and AUTL1 is the name of the Authorization list created in Step 1.

Note 1: Keep in mind that the program will read each one of the records in the file and will execute the command CHGAUT twice for each record. The process can be lengthy if there are many objects are in the file. You should consider running the program in Batch Mode.

Note 2: The commands CHGAUT requires to obtain an exclusive lock on the objects so it is recommended that the procedure is performed while in restricted state or when there is no jobs that may hold locks on the objects.

For more information on the issue where the process SAVSECDTA takes a long time complete refer to document: 

http://www.ibm.com/support/docview.wss?uid=nas8N1018753
 

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Document Information

Modified date:
21 September 2020

UID

nas8N1021449