Accumulated authorities

Accumulated authorities are the total authorities that a user or group has to perform an operation on an object.

A user can be granted authorities on an object from the following sources:

• An authority record that has been created on the object for the user (Windows only).
• An authority record that has been created on the object for a group to which the user belongs.
• An authority record that has been created for the user against a generic profile that matches the object (Windows only).
• An authority record that has been created for a group to which the user belongs against a generic profile that matches the object.

If a user is granted an authority (for example, the authority to put messages on a queue called Q1) from just one of these sources, the user has that authority, even if authority records from other sources do not grant that authority. For example, the following figure shows that the user called User500, who belongs to group AppDev6, does not have authority to put messages on Q1 because the Put authority has not been granted to User500 or to AppDev6. User500, however, does have authority to get messages from Q1 because the Get authority has been granted to AppDev6 so User500 inherits the Get authority.

In the figure, the first row of the table in the Find Accumulated Authorities dialog shows the accumulated authorities of User500. The next two rows show the authority records that contribute to the accumulated authorities. In the scenario shown in the figure, the authority record for User500 does not contain the Put and Get authorities; the authority record for AppDev6, however, contains the Get authority. Therefore, the accumulated authorities for User500 show that User500 has Get authority but not Put authority on queue Q1.

The warning message in the Find Accumulated Authorities dialog shows that although User500 has some authorities to perform operations on queue Q1, User500 does not have authority to connect to the queue manager that hosts Q1.