CHGAUTLE (Change Authorization List Entry)

CHGAUTLE Command syntax diagram

 

Purpose

The Change Authorization List Entry (CHGAUTLE) command changes the authorities for users on authorization lists. The authorities that the users have on the authorization list are replaced with the authorities specified on the command. The authorization list must already exist and the users must be on the list. If the user specified is not on the list, a message is issued.

The users who can use this command to change the authorization list are: the owner of the authorization list, a user with authorization list management authorities on the list, or a user with all object authority.

When the CHGAUTLE command is used to change a user's authorities, the user must specify the name of the authorization list, a list of users, and a list of authorities. All users specified in the list are given the same authorities. The authorities of each user on the list given to the command are changed to the authorities specified on the command. Authority can be specified for all users who do not have specific authority, who are not on the authorization list, and whose groups have no authority, by giving a user profile name of *PUBLIC.

 

Restrictions

  1. Only the owner of the list or a user with *ALLOBJ authority can change a user's authorities to include *AUTLMGT.
  2. A user with *AUTLMGT authority can change a user's authority. They must also have the specific authority being added or removed.

 

Required Parameters

AUTL
Specifies the name or generic name of the authorization list for which users' authorities are to be changed. The authorization list must already exist.

authorization-list-name: Specify the name of the authorization list used.

generic*-authorization-list-name: Specifies the generic name of the authorization list. A generic name is a character string of one or more characters followed by an asterisk (*); for example, ABC*. The asterisk substitutes for any valid characters. A generic name specifies all objects with names that begin with the generic prefix for which the user has authority. If an asterisk is not included with the generic (prefix) name, the system assumes it to be the complete object name. See generic names for additional information.

USER
Specifies a list of user profile names whose authorities on the authorization list are changed. Up to 50 user profile names can be specified. If a user profile name is not on the authorization list, a message is issued.

*PUBLIC: Authority is given to all users who have no specific authority, are not on the authorization list, and whose group does not have any authority.

user-ID: Specify a list of user profile names whose authorities are changed.

 

Optional Parameters

AUT
Specifies the authority given to users specified on the USER parameter. Users must have *AUTLMGT authority to manage the authorization list.

*CHANGE: The user can perform all operations on the object except those limited to the owner or controlled by object existence authority and object management authority. The user can change and perform basic functions on the object. Change authority provides object operational authority and all data authority. If the object is an authorization list, the user cannot add, change, or remove user profile names.

*ALL: The user can perform all operations except those limited to the owner or controlled by authorization list management authority. The user can control the object's existence, specify the security for the object, change the object, and perform basic functions on the object. The user also can change ownership of the object.

*USE: The user can perform basic operations on the object, such as running a program or reading a file. The user cannot change the object. *USE authority provides object operational authority, read authority, and execute authority.

*AUTLMGT: Authorization list management authority provides the authority to add users to the authorization list, to change users' authorities on the authorization list, or to remove users from the authorization list, to rename an authorization list, or to create a duplicate authorization list. This parameter is not valid when USER(*PUBLIC) is specified.

*OBJALTER: Object alter authority provides the authority needed to alter the attributes of an object. If the user has this authority on a database file, the user can add and remove triggers, add and remove referential and unique constraints, and change the attributes of the database file. If the user has this authority on an SQL package, the user can change the attributes of the SQL package. This authority is currently only used for database files and SQL packages.

*OBJEXIST: Object existence authority provides the authority to control the object's existence and ownership. These authorities are necessary for users who want to delete the object, free storage for the object, perform save and restore operations for the object, or transfer ownership of the object. A user with special save system authority (*SAVSYS) does not need object existence authority. Object existence authority is required to create an object that was named by an authority holder.

*OBJMGT: Object management authority provides the authority to specify the security for the object, move or rename the object, and add members to database files.

*OBJOPR: Object operational authority provides authority to look at the description of the object and to use the object as determined by the data authority that the user has to the object.

*OBJREF: Object reference authority provides the authority needed to reference an object from another object such that operations on that object may be restricted by the other object. If the user has this authority on a physical file, the user can add referential constraints in which the physical file is the parent. This authority is currently only used for database files.

*ADD: Add authority provides the authority to add entries to an object (for example, job entries to a queue or records to a file).

*DLT: Delete authority allows the user to remove entries from an object, for example, remove messages from a message queue or records from a file.

*EXECUTE: Execute authority provides the authority needed to run a program or locate an object in a library or directory.

*READ: Read authority provides the authority needed to show the contents of an object.

*UPD: Update authority provides the authority needed to change the entries in the object.

Single Value

*EXCLUDE: The user cannot access the object.

Example for CHGAUTLE

CHGAUTLE  AUTL(DEPT48X)
  USER(KARENG KARENS JEFF JULIE DARL)
  AUT(*CHANGE)

This command changes the authority that users KARENG, KARENS, JEFF, JULIE, and DARL have on the authorization list to *CHANGE. *CHANGE gives the users object operational authority and all data authorities to the objects secured by the authorization list.

Error messages for CHGAUTLE

*ESCAPE Messages

CPF22AA
Only *AUTLMGT authority can be specified with *ALL authority.
CPF22AB
Only *AUTLMGT can be specified with *CHANGE authority.
CPF22AC
Only *AUTLMGT authority can be specified with *USE authority.
CPF2253
No objects found for &1 in library &2.
CPF2281
The users specified do not exist on the system.
CPF2283
Authorization list &1 does not exist.
CPF2284
Not authorized to change authorization list &1.
CPF2286
*PUBLIC cannot be given *AUTLMGT authority.
CPF2287
&1 errors changing users, &2 authorization lists processed.
CPF2289
Unable to allocate authorization list &1.
CPF2290
*EXCLUDE cannot be specified with another authority.