CRTAUTHLR (Create Authority Holder)

CRTAUTHLR Command syntax diagram

 

Purpose

The Create Authority Holder (CRTAUTHLR) command allows a user to create an authority holder to secure an object of type *FILE before it exists on the system. The file must be a program-described database file. When an object by the specified name is created, the authorities specified in the authority holder are linked to the newly created object.

The authority holder is associated with one specific object, object type, and library. This allows only users with the correct authority to access the object. The authority holder and associated object always have the same owner.

If the object has authorities associated with it, they are linked to the newly created authority holder. The owner of the object becomes the owner of the authority holder. Authority holders are located in library QSYS.

 

Restrictions

1. This command is shipped with public *EXCLUDE authority.
   
2. The object type being secured by the new authority holder is limited to *FILE. The file must be a program-described database file.
   
3. The authority holder cannot be created for objects located in libraries QRCL, QRECOVERY, QSPLxxxx, QSYS, or QTEMP.
   
4. Authority holders can only secure files in the system auxiliary storage pool (ASP) or a basic user ASP.>

 

Required Parameters

OBJ

Specifies the qualified name of the database file that the authority holder secures when it is created.

 

Optional Parameters

AUT

Specifies the authority given to users who do not have specific authority to the object, who are not on an authorization list, and whose group profile or supplemental group profiles do not have specific authority to the object.

*LIBCRTAUT: The public authority for the object is taken from the value on the CRTAUT parameter of the target library (the library that is to contain the object). The public authority is determined when the object is created. If the CRTAUT value for the library changes after the object is created, the new value does not affect any existing objects.

*CHANGE: The user can perform all operations on the object except those limited to the owner or controlled by object existence authority and object management authority. The user can change and perform basic functions on the object. Change authority provides object operational authority and all data authority. If the object is an authorization list, the user cannot add, change, or remove users.

*ALL: The user can perform all operations except those limited to the owner or controlled by authorization list management authority. The user can control the object's existence, specify the security for the object, change the object, and perform basic functions on the object. The user also can change ownership of the object.

*USE: The user can perform basic operations on the object, such as running a program or reading a file. The user cannot change the object. *USE authority provides object operational authority, read authority, and execute authority.

*EXCLUDE: The user cannot access the object.

authorization-list-name: Specify the name of the authorization list used.

Examples for CRTAUTHLR

Example 1: Granting EXCLUDE Authority

CRTAUTHLR  OBJ(QGPL/FIL1)  AUT(*EXCLUDE)

By running this command, user ONE creates an authority holder with *EXCLUDE authority.

Example 2: Granting USE Authority

GRTOBJAUT  OBJ(QGPL/FIL1)  TYPE(*FILE)  USER(TWO)
  AUT(*USE)

By running this command, user ONE grants *USE authority to user TWO for the specified authority holder.

Example 3: Granting Matching Authority

CRTSRCF  FILE(QGPL/FIL1)

By running this command, user ONE creates a file that has a matching authority holder. User ONE becomes the owner of the file with user TWO having *USE authority to QGPL/FIL1.

Error messages for CRTAUTHLR

*ESCAPE Messages

CPC2212

Authority holder created.

CPF2122

Storage limit exceeded for user profile &1.

CPF2163

Creation of authority holder in &2 not allowed.

CPF22BA

Authority holder could not be created.

CPF22BC

Object &1 type &3 is not program defined.

CPF22B2

Not authorized to create or delete authority holder.

CPF22B5

Authority holder already exists.

CPF22B6

Authority holder could not be created.

CPF2283

Authorization list &1 does not exist.

CPF2289

Unable to allocate authorization list &1.

CPF9803

Cannot allocate object &2 in library &3.