ADDAUTLE (Add Authorization List Entry)

ADDAUTLE Command syntax diagram

 

Purpose

The Add Authorization List Entry (ADDAUTLE) command allows the user to add entries to an authorization list. An entry consists of a user's name and the authorities associated with that user on the authorization list. Both the authorization list and the user profile must exist. If the specified user is already on the list, a message is issued and the user's authorities on the list are not changed.

The users who can use this command to add users to an authorization list are: the owner of the authorization list, a user with authorization list management (AUTLMGT) authority on the authorization list, or a user with all object (ALLOBJ) authority.

When the ADDAUTLE command is used to add a user to an authorization list, the user must specify the name of the authorization list, a list of authorized users, and a list of authorities specified for the list. Each user on the list is given the authorities specified on the command.

 

Restrictions

1. Authorization list management authority allows a user to manage the authorization list and, therefore, to manage the authorities for all objects secured by the list.
   
2. Only the owner of the list or a user with *ALLOBJ authority can add a user with *AUTLMGT authority.
   
3. A user with *AUTLMGT authority can add users and give specific authorities only to the *AUTLMGT level.

 

Required Parameters

AUTL

Specifies the name or generic name of the authorization list to which the users are being added. The authorization list must already exist.

authorization-list-name: Specify the name of the authorization list to which the user profile name is added.

generic*-authorization-list-name: Specify the generic name of the authorization list to which the user profile names are being added. A generic name is a character string of one or more characters followed by an asterisk (*); for example, ABC*. The asterisk substitutes for any valid characters. A generic name specifies all objects with names that begin with the generic prefix for which the user has authority. If an asterisk is not included with the generic (prefix) name, the system assumes it to be the complete object name. Generic names provides additional information.

USER

Specifies a list of user names to be added to the authorization list. Up to 50 user names can be specified. If a user profile name is already on the authorization list, a message is issued and the user's authorities are not changed.

 

Optional Parameters

AUT

Specifies the authority given to users specified on the USER parameter. Users must have *AUTLMGT authority to manage the authorization list.

*CHANGE: The user can perform all operations on the object except those limited to the owner or controlled by object existence authority and object management authority. The user can change and perform basic functions on the object. Change authority provides object operational authority and all data authority. If the user profile name is an authorization list, the user cannot add, change, or remove user profile names.

*ALL: The user can perform all operations except those limited to the owner or controlled by authorization list management authority. The user can control the object's existence, specify the security for the object, change the object, and perform basic functions on the object. The user also can change ownership of the object.

*USE: The user can perform basic operations on the object, such as running a program or reading a file. The user cannot change the object. *USE authority provides object operational authority, read authority, and execute authority.

*AUTLMGT: Authorization list management authority provides the authority to add users to the authorization list, to change users' authorities on the authorization list, or to remove users from the authorization list, to rename an authorization list, or to create a duplicate authorization list.

*OBJALTER: Object alter authority provides the authority needed to alter the attributes of an object. If the user has this authority on a database file, the user can add and remove triggers, add and remove referential and unique constraints, and change the attributes of the database file. If the user has this authority on an SQL package, the user can change the attributes of the SQL package. This authority is currently only used for database files and SQL packages.

*OBJEXIST: Object existence authority provides the authority to control an object's existence and ownership. These authorities are necessary for users who want to delete an object, free storage for an object, perform save and restore operations for an object, or transfer ownership of an object. A user with special save system (*SAVSYS) authority does not need object existence authority to save or restore objects. Object existence authority is required to create an object that has been named by an authority holder.

*OBJMGT: Object management authority provides the authority to specify the security for an object, to move or rename an object, and to add members to database files.

*OBJOPR: Object operational authority provides authority to look at the description of an object and to use the object as determined by the data authorities held by the user.

*OBJREF: Object reference authority provides the authority needed to reference an object from another object such that operations on that object may be restricted by the other object. If the user has this authority on a physical file, the user can add referential constraints in which the physical file is the parent. This authority is currently only used for database files.

*ADD: Add authority provides the authority to add entries to an object (for example, job entries to a queue or records to a file).

*DLT: Delete authority allows the user to remove entries from an object, for example, remove messages from a message queue or records from a file.

*EXECUTE: Execute authority provides the authority needed to run a program or locate an object in a library or directory.

*READ: Read authority provides the authority needed to show the contents of an object.

*UPD: Update authority provides the authority needed to change the entries in an object.

Single Value

*EXCLUDE: The user cannot access the object.

Example for ADDAUTLE

ADDAUTLE  AUTL(PAYROLL)  USER(TOM)
  AUT(*ALL *AUTLMGT)

This command adds user TOM to the PAYROLL authorization list and gives him all authority to the objects secured by the authorization list. TOM also has authority to manage the authorization list.

Error messages for ADDAUTLE

*ESCAPE Messages

CPF22AA

Only *AUTLMGT authority can be specified with *ALL authority.

CPF22AB

Only *AUTLMGT can be specified with *CHANGE authority.

CPF22AC

Only *AUTLMGT authority can be specified with *USE authority.

CPF2253

No objects found for &1 in library &2.

CPF2280

*PUBLIC is always on authorization list, cannot be added.

CPF2281

The users specified do not exist on the system.

CPF2282

&1 errors adding users, &2 authorization lists processed.

CPF2283

Authorization list &1 does not exist.

CPF2284

Not authorized to change authorization list &1.

CPF2289

Unable to allocate authorization list &1.

CPF2290

*EXCLUDE cannot be specified with another authority.