Planning authorization lists

 

You can group objects with similar security requirements by using an authorization list.

Conceptually, an authorization list contains a list of users and the authority that the users have to the objects that are secured by the list. Authorization lists provide an efficient way to manage the authority to similar objects on the system. However, in some cases, they make it difficult to keep track of authorities to objects. You can use the Print Private Authority (PRTPVTAUT) command to print information about authorization list authorities.

Authorization List Security

You can group objects with similar security requirements using an authorization list. An authorization list, conceptually, contains a list of users and the authority that the users have to the objects secured by the list. Each user can have a different authority to the set of objects the list secures. When you give a user authority to the authorization list, the operating system actually grants a private authority for that user to the authorization list. You can also use an authorization list to define public authority for the objects on the list. If the public authority for an object is set to *AUTL, the object gets its public authority from its authorization list.

The authorization list object is used as a management tool by the system. It actually contains a list of all objects which are secured by the authorization list. This information is used to build displays for viewing or editing the authorization list objects.

You cannot use an authorization list to secure a user profile or another authorization list. Only one authorization list can be specified for an object. Only the owner of the object, a user with all object (*ALLOBJ) special authority, or a user with all (*ALL) authority to the object, can add or remove the authorization list for an object.

Objects in the system library (QSYS) can be secured with an authorization list. However, the name of the authorization list that secures an object is stored with the object. In some cases, when you install a new release of the operating system, all the objects in the QSYS library are replaced. The association between the objects and your authorization list would be lost.

Planning Authorization Lists

An authorization list has these advantages:

Advantages of Using an Authorization List

From a security management view, an authorization list is the preferred method to manage objects that have the same security requirements. Even when there are only a few objects that would be secured by the list, there is still an advantage to using an authorization list instead of using private authorities on the authorized to the objects. It is also easier to secure any new objects with the same authorities as the existing objects.

If you use authorization lists, then you should not have private authorities on the object. Two searches of the user’s private authorities are required during the authority checking if the object has private authorities and the object is also secured by an authorization list. The first search is for the private authorities on the object; the second search is for the private authorities on the authorization list. Two searches require use of system resources and might impact performance.

If you use only the authorization list, only one search is performed. Also, because of the use of authority caching with the authorization list, the performance for the authority check will be the same as it is for checking only private authorities on the object. As application requirements change, more work files may be added to the application. Also, as job responsibilities change, different users run month-end processing.

An authorization list makes it simpler to manage these changes. Use these steps to set up the authorization list:

  1. Create the authorization list: CRTAUTL ICLIST1

  2. Secure all the work files with the authorization list: GRTOBJAUT OBJ(ITEMLIB/ICWRK*) + OBJTYP(*FILE) AUTL(ICLIST1)

  3. Add users to the list who perform month-end processing: ADDAUTLE AUTL(ICLIST1) USER(USERA) AUT(*ALL)

Using authorization lists

iSeries™ Navigator provides security features designed to assist you in developing a security plan and policy, and configure your system to meet your company’s needs. One of the functions available is the use of authorization lists. Authorization lists have the following features:

To use this function, perform these steps:

  1. From iSeries Navigator, expand your server—>Security. You will see Authorization Lists and Policies.

  2. Right-click Authorization Lists and select New Authorization List. The New Authorization List allows you to:

When working with authorization lists you will want to grant permissions for both objects and data. Object permissions you can choose include:

For more information on each process as you are creating or editing your authorization lists, use the online help available in iSeries Navigator.

To simplify managing authorities, use an authorization list to group objects with the same requirements. You can then give the public, group profiles, and user profiles authority to the authorization list rather than to the individual objects on the list. The system treats every object that you secure by an authorization list the same, but you can give different users different authorities to the entire list.

An authorization list makes it easier to reestablish authorities when you restore objects. If you secure objects with an authorization list, the restore process automatically links the objects to the list. You can give a group or user the authority to manage an authorization list (*AUTLMGT). Authorization list management allows the user to add and remove other users from the list and to change the authorities for those users.

Recommendations:

Look at the group and individual authorities on your Library description forms. Decide if using authorization lists is appropriate. If so, prepare Authorization list forms and update your Library description forms with the authorization list information.

 

Parent topic:

Planning resource security

Related concepts
Authorization lists