RVKOBJAUT

RVKOBJAUT (Revoke Object Authority)

RVKOBJAUT Command syntax diagram

Purpose

The Revoke Object Authority (RVKOBJAUT) command is used to take away specific (or all) authority for the named objects from one or more users also named in the command, or to remove the authority of an authorization list for the named objects. This command can be entered by the security officer, by an object's owner, or by a user who has object management authority for the object being removed. A user with object management authority can remove only the authorities that that user has. A user may not be able to give or remove authorities for an object that has been allocated (locked) to another job. If a specific (not *ALL) authority cannot be revoked, a message is issued that indicates the authorities that were not revoked.

Restrictions

Before this command is used to remove authorities to use a device, control unit, or line description, its associated device, control unit, or line must be varied on.

Authority to use a device cannot be revoked if a user is currently signed on to the device.

Note: Users can revoke their own authority to a device if they are currently signed onto that device. However, doing so may produce unpredictable results and is not advisable.

For display stations or for work station message queues associated with the display station, if this command is not entered at the device for which authorities are being revoked, it should be preceded by the Allocate Object (ALCOBJ) command and followed by the Deallocate Object (DLCOBJ) command.

Object type *DOC or *FLR cannot be specified. Document interchange support must be used.

Object type *AUTL cannot be specified. The Change Authorization List Entry (CHGAUTLE) or Remove Authorization List Entry (RMVAUTLE) commands must be used.

AUT (*AUTL) can be specified only with USER (*PUBLIC).

Only a user with *ALL authority or the owner can remove the authorization list.

You must have *USE authority to the auxiliary storage pool device if one is specified.>

Security Risk

Revoking all authorities specifically given to a user for an object can result in the user having more authority than before the revoke operation. If a user has *USE authority for an object and *CHANGE authority on the authorization list that secures the object, revoking *USE authority results in the user having *CHANGE authority to the object.

Required Parameters

OBJ

Specifies the qualified name of the objects for which specific authority is revoked. Either a specific or a generic object name is specified with a library name. If *ALL is specified, the name of a library must be specified. For more information on the use of generic functions, refer to generic functions.
The name of the object can be qualified by one of the following library values:

*LIBL: All libraries in the job's library list are searched until the first match is found.

*CURLIB: The current library for the job is searched. If no library is specified as the current library for the job, the QGPL library is used.

*USRLIBL: Only the libraries in the user portion of the job's library list are searched.

*ALL: All libraries in the auxiliary storage pools (ASPs) specified by the ASPDEV parameter are searched.>

*ALLUSR: All user libraries in the ASPs specified by the ASPDEV parameter are searched. >All libraries with names that do not begin with the letter Q are searched except for the following:

#CGULIB
#COBLIB
#DFULIB
#DSULIB #RPGLIB
#SDALIB
#SEULIB

Although the following Qxxx libraries are provided by IBM, they typically contain user data that changes frequently. Therefore, these libraries are also considered user libraries and are also searched:

QDSNX
QGPL
QGPL38
QMPGDATA
QMQMDATA
QMQMPROC
QPFRDATA
QRCL

QRCLnnnnn
QS36F
QUSER38
QUSRADSM
QUSRBRM
QUSRDIRCL
QUSRDIRDB
QUSRIJS
QUSRINFSKR
QUSRNOTES QUSROND
QUSRPOSGS
QUSRPOSSA
QUSRPYMSVR
QUSRRDARS
QUSRSYS
QUSRVI
QUSRVxRxMx

Notes

"nnnnn" is the number of a primary auxiliary storage pool.

A different library name, of the form QUSRVxRxMx, can be created by the user for each release that IBM supports. VxRxMx is the version, release, and modification level of the library.

*ALLAVL: All libraries in all available ASPs are searched.

*ALLUSRAVL: All user libraries in all available ASPs are searched. Refer to *ALLUSR for a definition of user libraries.>

library-name: Specify the name of the library to be searched.

*ALL: All objects of the specified type (OBJTYPE) found in the search have specific authorities revoked. Specify the name of a library with *ALL.
generic*-object-name: Specify the generic name of the object. A generic name is a character string of one or more characters followed by an asterisk (*); for example, ABC*. The asterisk substitutes for any valid characters. A generic name specifies all objects with names that begin with the generic prefix for which the user has authority. If an asterisk is not included with the generic (prefix) name, the system assumes it to be the complete object name. If the complete object name is specified, and multiple libraries are searched, multiple objects can be revoked only if *ALL, *ALLUSR, *ALLAVL, or *ALLUSRAVL >library values can be specified for the name. For more information on the use of generic names, refer to generic names.
object-name: Specify the name of the object for which specific authorities are revoked.

OBJTYPE

Specifies the object type of the object that has specific authorities revoked. More information on this parameter is in Commonly used parameters.
*ALL: All object types have specific authorities revoked.
object-type: Specify the type of the object for which specific authorities are revoked.

USER

Specifies the names of one or more users whose specific authorities to the named object are being removed. If a user was given the authority by USER(*PUBLIC) being specified in the Grant Object Authority (GRTOBJAUT) command, the same authorities are revoked by *PUBLIC being specified in this parameter. Users who were given specific authority by having their names specified in the GRTOBJAUT command must have their names specified on this parameter to remove the same authorities.
Either this parameter or the AUTL parameter must be specified.
*ALL: The authorities specified in the AUT parameter are taken away from all enrolled users of the system except the owner, if they are publicly or explicitly authorized.
*PUBLIC: The specified authorities are taken away from users who do not have specific authority for the object, who are not on the authorization list, and whose group has no authority. Users who have specific authority still retain their authorities to the object.
user-profile-name: Specify the user profile names of one or more users that are having the specified authorities revoked. The authorities specified in the AUT parameter are being specifically taken away from each specified user. This parameter cannot be used to remove public authority from specific users; only authorities that were specifically given to them can be specifically revoked.

AUTL

Specifies that the authorization list is revoked from the object specified on the OBJ parameter. If public authority to the object is *AUTL, it is changed to *EXCLUDE.
Either this parameter or the USER parameter must be specified. If this parameter is specified, the AUT parameter is ignored.

Optional Parameters

AUT

Specifies the authority being revoked from the users who do not have specific authority to the object, who are not on an authorization list, and whose user group has no specific authority to the object.
*CHANGE: The user can perform all operations on the object except those limited to the owner or controlled by object existence authority and object management authority. The user can change and perform basic functions on the object. Change authority provides object operational authority and all data authority.
*ALL: The user can perform all operations except those limited to the owner or controlled by authorization list management authority. The user can control the object's existence, specify the security for the object, change the object, and perform basic functions on the object. The user also can change ownership of the object. If the object is an authorization list, the user cannot add, change, or remove user profile names. Revoking *ALL authority from *PUBLIC causes the *PUBLIC authority to change to *EXCLUDE.
*USE: The user can perform basic operations on the object, such as running a program or reading a file. The user cannot change the object. *USE authority provides object operational authority, read authority, and execute authority.
*EXCLUDE: The user cannot access the object.
*AUTL: The public authority of the authorization list specified in this parameter is revoked for the object. The public authority for the object becomes *EXCLUDE.
A maximum of ten of the following values can be specified:
*OBJALTER: Object alter authority provides the authority needed to alter the attributes of an object. If the user has this authority on a database file, the user can add and remove triggers, add and remove referential and unique constraints, and change the attributes of the database file. If the user has this authority on an SQL package, the user can change the attributes of the SQL package. This authority is currently only used for database files and SQL packages.
*OBJEXIST: Object existence authority provides the authority to control the object's existence and ownership. These authorities are necessary for users who want to delete the object, free storage of the object, perform save and restore operations for the object, or transfer ownership of an object. If a user has special save system authority (*SAVSYS), object existence authority is not needed. Object existence authority is required to create an object that has been named by an authority holder.
*OBJMGT: Object management authority provides the authority to specify the security for the object, move or rename the object, and add members to database files.
*OBJOPR: Object operational authority provides authority to look at the description of an object and use the object as determined by the user's data authorities to that object.
*OBJREF: Object reference authority provides the authority needed to reference an object from another object such that operations on that object may be restricted by the other object. If the user has this authority on a physical file, the user can add referential constraints in which the physical file is the parent. This authority is currently only used for database files.
*ADD: Add authority provides the authority to add entries to an object (for example, job entries to a queue or records to a file).
*DLT: Delete authority allows the user to remove entries from an object, for example, remove messages from a message queue or records from a file.
*EXECUTE: Execute authority provides the authority needed to run a program or to locate an object in a library.
*READ: Read authority provides the authority needed to show the contents of an entry in the object.
*UPD: Update authority provides the authority needed to change the entries in the object.

ASPDEV

Specifies the auxiliary storage pool (ASP) device name where the library that contains the object (OBJ parameter) is located. If the object's library resides in an ASP that is not part of the library name space associated with the job, this parameter must be specified to ensure the correct object is used as the target of the revoke operation.

*: The ASPs that are currently part of the job's library name space will be searched to locate the object. This includes the system ASP (ASP number 1), all defined basic user ASPs (ASP numbers 2-32), and, if the job has an ASP group, all independent ASPs in the ASP group.
*SYSBAS: The system ASP and all basic user ASPs will be searched to locate the object. No independent ASPs will be searched, even if the job has an ASP group.
auxiliary-storage-pool-device-name: The device name of the independent ASP to be searched to locate the object. The independent ASP must have been activated (by varying on the ASP device) and have a status of 'Available'. The system ASP and basic user ASPs will not be searched.>

Examples for RVKOBJAUT
Example 1: Removing Authority From All Users Except Program Owner
RVKOBJAUT OBJ(ARLIB/PROG1) OBJTYPE(*PGM) USER(*ALL)

This command removes the authorities (AUT was not specified; *CHANGE is assumed) from all users who were either explicitly or publicly authorized, except the owner, for the program (*PGM) named PROG1 located in the library named ARLIB.
Example 2: Removing Object Owner's Authority to Delete a Program
RVKOBJAUT OBJ(TSMITHPGM/MITHLIB) OBJTYPE(*PGM) USER(TMSMITH) AUT(*OBJEXIST)

This command removes the object owner's (TMSMITH) authority to delete a program (TSMITHPGM) in his library (SMITHLIB). The object owner might do this to ensure that the object is not deleted by mistake. If the owner ever wants to delete the object, object existence authority for the object can be granted by using the Grant Object Authority (GRTOBJAUT) command).
Example 3: Removing *DLT and *UPD Authorities
RVKOBJAUT OBJ(FILEX) OBJTYPE(*FILE) USER(HEANDERSON) AUT(*DLT *UPD)

This command removes delete and update authorities for the file named FILEX from the user HEANDERSON.
Example 4: Removing *OBJEXIST Authority
RVKOBJAUT OBJ(ARLIB/ARJOBD) OBJTYPE(*JOBD) USER(RLJOHNSON) AUT(*OBJEXIST)

This command removes the object existence authority for the object named ARJOBD from the user RLJOHNSON. ARJOBD is a job description that is located in the library named ARLIB.
Example 5: Removing Specific Authorities
RVKOBJAUT OBJ(FILEX) OBJTYPE(*FILE) AUTL(FILEUSERS)

This command removes specific authorities for the file named FILEX from the users in the authorization list FILEUSERS.
Error messages for RVKOBJAUT
*ESCAPE Messages

CPF22A0

Authority of *AUTL is allowed only with USER(*PUBLIC).

CPF22A1

OBJTYPE(*AUTL) not valid on this command.

CPF22A2

Authority of *AUTL not allowed for object type *USRPRF.

CPF22A3

AUTL parameter not allowed for object type *USRPRF.

CPF22A4

*EXCLUDE cannot be revoked from *PUBLIC.

CPF22A5

Object &1 in &3 type *&2 not secured by authorization list &4.

CPF22DA

Operation on file &1 in &2 not allowed.

CPF2207

Not authorized to use object &1 in library &3 type *&2.

CPF2208

Object &1 in library &3 type *&2 not found.

CPF2209

Library &1 not found.

CPF2210

Operation not allowed for object type *&1.

CPF2211

Not able to allocate object &1 in &3 type *&2.

CPF2216

Not authorized to use library &1.

CPF2224

Not authorized to revoke authority for object &1 in &3 type *&2.

CPF2227

One or more errors occurred during processing of command.

CPF2236

AUT input value not supported.

CPF2243

Library name &1 not allowed with OBJ(generic name) or OBJ(*ALL).

CPF2253

No objects found for &1 in library &2.

CPF2254

No libraries found for &1 request.

CPF2273

Authority may not have been changed for object &1 in &3 type *&2 for user &4.

CPF2283

Authorization list &1 does not exist.

CPF326A

Operation not successful for file &1 in library &2.

CPF327F

Operation not successful for file &1 in library &2.

CPF3381

Revoke authority not allowed from spool user profile QSPL.

CPF980B

Object &1 in library &2 not available.>

CPF9804

Object &2 in library &3 damaged.

CPF9814

Device &1 not found.

CPF9825

Not authorized to device &1.

CPF9873

ASP status is preventing access to object.>