Specifying public authority to i5/OS database files

Specifying public authority

Public authority is given to users who do not have any specific authority to an object, who are not on the authorization list of the object, or whose group profile has no specific authority to the object. When you create a file, you can specify and grant public authority. You can specify public authority through the AUT parameter on the Create Physical File (CRTPF) or Create Source Physical File (CRTSRCPF) command. Public authority is the last authority check made. That is, if the user has specific authority to a file or the user is a member of a group with specific authority, then the public authority is not checked. Public authority can be specified as:

*LIBCRTAUT. The library in which the file is created is checked to determine the public authority of the file when the file is created. An authority is associated with each library. This authority is specified when the library is created, and all files created into the library are given this public authority if the *LIBCRTAUT value is specified for the AUT parameter of the Create File (CRTLF, CRTPF, and CRTSRCPF) commands. The *LIBCRTAUT value is the default public authority.

*CHANGE. All users that do not have specific user or group authority to the file have authority to change data in the file.

*USE. All users that do not have specific user or group authority to the file have authority to read data in the file.

*EXCLUDE. Only the owner, security officer, users with specific authority, or users who are members of a group with specific authority can use the file.

*ALL. All users that do not have specific user or group authority to the file have all data authorities along with object operational, object management, and object existence authorities.

Authorization list name. The authorization list is a list of users and their authorities. The list allows users and their different authorities to be grouped together.

When you create a logical file, no data authorities are granted. Consequently, *CHANGE is the same as *USE, and *ALL does not grant any data authority. You can grant public authority in the following ways:

Define public authority using iSeries™ Navigator.

Use the Edit Object Authority (EDTOBJAUT), Grant Object Authority (GRTOBJAUT), or Revoke Object Authority (RVKOBJAUT) command to grant or revoke the public authority of a file.

You can also use iSeries Navigator to set default public authority for a new file.

Defining public authority using iSeries Navigator
Public authority is defined for every object on the system to describe what type of access a user has to the object when that user has no specific access to it. You can define public authority for a database file using iSeries Navigator.

Setting a default public authority using iSeries Navigator
By setting a default public authority from iSeries Navigator, you can have a common authority to all new objects when they are created in a library. You can edit the permissions for individual objects that require a different level of security.

Parent topic:
Securing database files

Related reference

Create Physical File (CRTPF) command
Create Source Physical File (CRTSRCPF) command
Edit Object Authority (EDTOBJAUT) command
Grant Object Authority (GRTOBJAUT) command
Revoke Object Authority (RVKOBJAUT) command