Revoke Object Authority (RVKOBJAUT)
Where allowed to run: All environments (*ALL)
Threadsafe: NoParameters
Examples
Error messagesThe Revoke Object Authority (RVKOBJAUT) command is used to take away specific (or all) authority for the named object(s) from one or more users named in the command, or to remove the authority of an authorization list for the named object(s). This command can be run by the security officer, by an object's owner, or by a user who has object management authority for the object to be revoked. Users who have object management authority can revoke only the explicit authority that they have. A user may not be able to grant or revoke authority for an object that has been allocated (locked) by another job. Authority cannot be revoked for an object that is currently in use.
Caution should be used when changing the public authority on IBM-supplied objects. For example, changing the public authority on the QSYSOPR message queue to be more restrictive than *CHANGE will cause some system programs to fail. The system programs will not have enough authority to send messages to the QSYSOPR message queue. For more information, refer to the iSeries Security Reference, SC41-5302.
Restrictions:
- Before this command is used to remove authorities to use a device, control unit, or line description, its associated device, control unit, or line must be varied on.
- Authority to use a device cannot be revoked if a user is currently signed on to the device.
Users can revoke their own authority to a device if they are currently signed onto that device. However, doing so may produce unpredictable results and is not advisable.
- For display stations or for work station message queues associated with the display station, if this command is not run from the device for which authorities are to be revoked, it should be preceded by the Allocate Object (ALCOBJ) command and followed by the Deallocate Object (DLCOBJ) command.
- Object type *DOC or *FLR cannot be specified.
- Document interchange support must be used.
- Object type *AUTL cannot be specified. The Change Authorization List Entry (CHGAUTLE) or Remove Authorization List Entry (RMVAUTLE) commands must be used. AUT (*AUTL) can be specified only with USER (*PUBLIC).
- Only a user with *ALL authority or the owner can remove the authorization list.
- You must have *USE authority to the auxiliary storage pool device if one is specified.
*** Security Risk ***
Revoking all authorities specifically given to a user for an object can result in the user having more authority than before the revoke operation. If a user has *USE authority for an object and *CHANGE authority on the authorization list that secures the object, revoking *USE authority results in the user having *CHANGE authority to the object.
Top
Parameters
Keyword Description Choices Notes OBJ Object Qualified object name Required, Positional 1 Qualifier 1: Object Generic name, name, *ALL Qualifier 2: Library Name, *LIBL, *CURLIB, *ALL, *ALLUSR, *USRLIBL, *ALLAVL, *ALLUSRAVL OBJTYPE Object type *ALL, *ALRTBL, *BNDDIR, *CFGL, *CHTFMT, *CLD, *CLS, *CMD, *CNNL, *COSD, *CRG, *CRQD, *CSI, *CSPMAP, *CSPTBL, *CTLD, *DEVD, *DTAARA, *DTADCT, *DTAQ, *EDTD, *FCT, *FILE, *FNTRSC, *FNTTBL, *FORMDF, *FTR, *GSS, *IGCDCT, *IGCSRT, *IGCTBL, *IMGCLG, *IPXD, *JOBD, *JOBQ, *JOBSCD, *JRN, *JRNRCV, *LIB, *LIND, *LOCALE, *M36, *M36CFG, *MEDDFN, *MENU, *MGTCOL, *MODD, *MODULE, *MSGF, *MSGQ, *NODGRP, *NODL, *NTBD, *NWID, *NWSCFG, *NWSD, *OUTQ, *OVL, *PAGDFN, *PAGSEG, *PDFMAP, *PDG, *PGM, *PNLGRP, *PRDAVL, *PRDDFN, *PRDLOD, *PSFCFG, *QMFORM, *QMQRY, *QRYDFN, *RCT, *S36, *SBSD, *SCHIDX, *SPADCT, *SQLPKG, *SQLUDT, *SRVPGM, *SSND, *SVRSTG, *TBL, *TIMZON, *USRIDX, *USRPRF, *USRQ, *USRSPC, *VLDL, *WSCST Required, Positional 2 ASPDEV ASP device Name, *, *SYSBAS Optional USER Users Single values: *ALL, *PUBLIC
Other values (up to 50 repetitions): NameOptional, Positional 3 AUT Authority Single values: *CHANGE, *ALL, *USE, *EXCLUDE, *AUTL
Other values (up to 10 repetitions): *OBJALTER, *OBJEXIST, *OBJMGT, *OBJOPR, *OBJREF, *ADD, *DLT, *READ, *UPD, *EXECUTEOptional, Positional 4 AUTL Authorization list Name Optional
Top
Object (OBJ)
Specifies the objects to have specific authority revoked. If *ALL is specified for the object name, a library name must be specified.
This is a required parameter.
Qualifier 1: Object
- *ALL
- All objects of the specified type (OBJTYPE) found in the search have specific authorities revoked. You must specify the name of a library when *ALL is specified for the object name.
- generic-name
- Specify the generic name of the objects that are to have specific authorities revoked.
A generic name is a character string of one or more characters followed by an asterisk (*); for example ABC*. The asterisk substitutes for any valid characters. A generic name specifies all objects with names that begin with the generic prefix for which the user has authority. If an asterisk is not included with the generic (prefix) name, the system assumes it to be the complete object name.
- name
- Specify the name of the object that is to have specific authorities revoked.
Qualifier 2: Library
- *LIBL
- All libraries in the library list for the current thread are searched until the first match is found.
- *CURLIB
- The current library for the thread is searched. If no library is specified as the current library for the thread, the QGPL library is searched. If the ASP device (ASPDEV) parameter is specified when this value is used, ASPDEV(*) is the only valid value.
- *USRLIBL
- If a current library entry exists in the library list for the current thread, the current library and the libraries in the user portion of the library list are searched. If there is no current library entry, only the libraries in the user portion of the library list are searched. If the ASP device (ASPDEV) parameter is specified when this value is used, ASPDEV(*) is the only valid value.
- *ALL
- All the libraries in the auxiliary storage pools (ASPs) specified for the ASP device (ASPDEV) parameter are searched.
- *ALLUSR
- All user libraries in the auxiliary storage pools (ASPs) defined by the ASP device (ASPDEV) parameter are searched.
User libraries are all libraries with names that do not begin with the letter Q except for the following:
#CGULIB #DSULIB #SEULIB #COBLIB #RPGLIB #DFULIB #SDALIBAlthough the following libraries with names that begin with the letter Q are provided by IBM, they typically contain user data that changes frequently. Therefore, these libraries are also considered user libraries:
QDSNX QRCLxxxxx QUSRIJS QUSRVxRxMx QGPL QSRVAGT QUSRINFSKR QGPL38 QSYS2 QUSRNOTES QMGTC QSYS2xxxxx QUSROND QMGTC2 QS36F QUSRPOSGS QMPGDATA QUSER38 QUSRPOSSA QMQMDATA QUSRADSM QUSRPYMSVR QMQMPROC QUSRBRM QUSRRDARS QPFRDATA QUSRDIRCL QUSRSYS QRCL QUSRDIRDB QUSRVI
- 'xxxxx' is the number of a primary auxiliary storage pool (ASP).
- A different library name, in the format QUSRVxRxMx, can be created by the user for each previous release supported by IBM to contain any user commands to be compiled in a CL program for the previous release. For the QUSRVxRxMx user library, VxRxMx is the version, release, and modification level of a previous release that IBM continues to support.
- *ALLAVL
- All libraries in all available ASPs are searched.
- *ALLUSRAVL
- All user libraries in all available ASPs are searched. Refer to *ALLUSR for a definition of user libraries.
- name
- Specify the name of the library to be searched.
Top
Object type (OBJTYPE)
Specifies the object type of the object that has specific authorities revoked. For a complete list of object types, position the cursor on this parameter while prompting the command and press F4.
This is a required parameter.
- *ALL
- All object types (except *AUTL) have specific authorities revoked.
- object-type
- Specify the object type that is to have specific authorities revoked.
Top
ASP device (ASPDEV)
Specifies the auxiliary storage pool (ASP) device name where the library that contains the object (OBJ parameter) is located. If the object's library resides in an ASP that is not part of the library name space associated with the job, this parameter must be specified to ensure the correct object is used as the target of this command's operation.
- *
- The ASPs that are currently part of the job's library name space will be searched to locate the object. This includes the system ASP (ASP number 1), all defined basic user ASPs (ASP numbers 2-32), and, if the job has an ASP group, all independent ASPs in the ASP group.
- *SYSBAS
- The system ASP and all basic user ASPs will be searched to locate the object. No independent ASPs will be searched, even if the job has an ASP group.
- name
- Specify the device name of the independent ASP to be searched to locate the object. The independent ASP must have been activated (by varying on the ASP device) and have a status of AVAILABLE. The system ASP and basic user ASPs will not be searched.
Top
Users (USER)
Specifies one or more users whose specific authorities to the named object are to be revoked.
Either this parameter or the Authorization list (AUTL) parameter must be specified.
Authorities revoked by this command are related to those given by the Grant Object Authority (GRTOBJAUT) command. If users have public authority to an object because USER(*PUBLIC) was specified on the GRTOBJAUT command, that public authority is revoked when *PUBLIC is specified on this parameter. If users have specific authorities to an object because their names were specified on the GRTOBJAUT command, their names must be specified on this parameter to revoke the same authorities.
The authorities to be revoked are specified on the Authority (AUT) parameter.
Single values
- *ALL
- The authorities specified are to be taken away from all enrolled users of the system except the owner, whether they were publicly or explicitly authorized.
- *PUBLIC
- The specified authorities are taken away from users who do not have specific authority for the object, are not on the authorization list, and whose group has no authority. Any users who have specific authorities still keep their authorities to the object.
Other values (up to 50 repetitions)
- name
- Specify the name of the user profile of the user that is to have the specified authorities revoked. This parameter cannot be used to revoke public authority from specific users; only authorities that were specifically given to a user can be specifically revoked. A maximum of 50 user profile names can be specified.
Top
Authority (AUT)
Specifies the authorities to be revoked from the users who do not have specific authority to the object, who are not on an authorization list, and whose user group does not have specific authority to the object.
Single values
- *CHANGE
- The user can perform all operations on the object except those limited to the owner or controlled by object existence (*OBJEXIST) and object management (*OBJMGT) authorities. The user can change and perform basic functions on the object. *CHANGE authority provides object operational (*OBJOPR) authority and all data authority. If the object is an authorization list, the user cannot add, change, or remove users.
- *ALL
- The user can perform all operations except those limited to the owner or controlled by authorization list management (*AUTLMGT) authority. The user can control the object's existence, specify the security for the object, change the object, and perform basic functions on the object. The user also can change ownership of the object.
- *USE
- The user can perform basic operations on the object, such as running a program or reading a file. The user cannot change the object. Use (*USE) authority provides object operational (*OBJOPR), read (*READ), and execute (*EXECUTE) authorities.
- *EXCLUDE
- The user cannot access the workstation object.
- *AUTL
- The public authority of the authorization list specified on the AUTL parameter is used for the public authority for the object.
You can specify AUT(*AUTL) only when USER(*PUBLIC) is also specified.
Other values (up to 10 repetitions)
- *OBJALTER
- Object alter authority provides the authority needed to alter the attributes of an object. If the user has this authority on a database file, the user can add and remove triggers, add and remove referential and unique constraints, and change the attributes of the database file. If the user has this authority on an SQL package, the user can change the attributes of the SQL package. This authority is currently only used for database files and SQL packages.
- *OBJMGT
- Object management authority provides the authority to The security for the object, move or rename the object, and add members to database files.
- *OBJEXIST
- Object existence authority provides the authority to control the object's existence and ownership. If a user has special save system authority (*SAVSYS), object existence authority is not needed to perform save restore operations on the object.
- *OBJOPR
- Object operational authority provides authority to look at the description of an object and use the object as determined by the data authority that the user has to the object.
- *OBJREF
- Object reference authority provides the authority needed to reference an object from another object such that operations on that object may be restricted by the other object. If the user has this authority on a physical file, the user can add referential constraints in which the physical file is the parent. This authority is currently only used for database files.
- *ADD
- Add authority provides the authority to add entries to an object (for example, job entries to an queue or records to a file).
- *DLT
- Delete authority provides the authority to remove entries from an object.
- *EXECUTE
- Execute authority provides the authority needed to run a program or locate an object in a library.
- *READ
- Read authority provides the authority needed to get the contents of an entry in an object or to run a program.
- *UPD
- Update authority provides the authority to change the entries in an object.
Top
Authorization list (AUTL)
Specifies the authorization list that is revoked from the object specified for the Object (OBJ) parameter. If public authority in the object is *AUTL, it is changed to *EXCLUDE.
Either this parameter or the Users (USER) parameter must be specified. If this parameter is specified, the AUT parameter is ignored.
- name
- Specify the name of the authorization list.
Top
Examples
Example 1: Removing Authority From All Users Except Program Owner
RVKOBJAUT OBJ(ARLIB/PROG1) OBJTYPE(*PGM) USER(*ALL)This command removes the authorities (AUT was not specified; *CHANGE is assumed) from all users who were either explicitly or publicly authorized, except the owner, for the program (*PGM) named PROG1 located in the library named ARLIB.
Example 2: Removing Object Owner's Authority to Delete a Program
RVKOBJAUT OBJ(TSMITHPGM/MITHLIB) OBJTYPE(*PGM) USER(TMSMITH) AUT(*OBJEXIST)This command removes the object owner's (TMSMITH) authority to delete a program (TSMITHPGM) in his library (SMITHLIB). The object owner might do this to ensure that the object is not deleted by mistake. If the owner ever wants to delete the object, object existence authority for the object can be granted by using the Grant Object Authority (GRTOBJAUT) command).
Example 3: Removing *DLT and *UPD Authorities
RVKOBJAUT OBJ(FILEX) OBJTYPE(*FILE) USER(HEANDERSON) AUT(*DLT *UPD)This command removes delete and update authorities for the file named FILEX from the user HEANDERSON.
Example 4: Removing *OBJEXIST Authority
RVKOBJAUT OBJ(ARLIB/ARJOBD) OBJTYPE(*JOBD) USER(RLJOHNSON) AUT(*OBJEXIST)This command removes the object existence authority for the object named ARJOBD from the user RLJOHNSON. ARJOBD is a job description that is located in the library named ARLIB.
Example 5: Removing Specific Authorities
RVKOBJAUT OBJ(FILEX) OBJTYPE(*FILE) AUTL(FILEUSERS)This command removes specific authorities for the file named FILEX from the users in the authorization list FILEUSERS.
Top
Error messages
*ESCAPE Messages
- CPF22A0
- Authority of *AUTL is allowed only with USER(*PUBLIC).
- CPF22A1
- OBJTYPE(*AUTL) not valid on this command.
- CPF22A2
- Authority of *AUTL not allowed for object type *USRPRF.
- CPF22A3
- AUTL parameter not allowed for object type *USRPRF.
- CPF22A4
- *EXCLUDE cannot be revoked from *PUBLIC.
- CPF22A5
- Object &1 in &3 type *&2 not secured by authorization list &4.
- CPF22DA
- Operation on file &1 in &2 not allowed.
- CPF2207
- Not authorized to use object &1 in library &3 type *&2.
- CPF2208
- Object &1 in library &3 type *&2 not found.
- CPF2209
- Library &1 not found.
- CPF2210
- Operation not allowed for object type *&1.
- CPF2211
- Not able to allocate object &1 in &3 type *&2.
- CPF2216
- Not authorized to use library &1.
- CPF2224
- Not authorized to revoke authority for object &1 in &3 type *&2.
- CPF2227
- One or more errors occurred during processing of command.
- CPF2236
- AUT input value not supported.
- CPF2243
- Library name &1 not allowed with OBJ(generic name) or OBJ(*ALL).
- CPF2253
- No objects found for &1 in library &2.
- CPF2254
- No libraries found for &1 request.
- CPF2273
- Authority may not have been changed for object &1 in &3 type *&2 for user &4.
- CPF2283
- Authorization list &1 does not exist.
- CPF9804
- Object &2 in library &3 damaged.
*STATUS Messages
- CPF2256
- Specified authority for the object not revoked from all users.
Top