GRTWSOAUT (Grant Workstation Object Authority)

GRTWSOAUT Command syntax diagram

 

Purpose

The Grant Workstation Object Authority (GRTWSOAUT) command is used by one user to grant specific authority for the workstation object named in this command to another user or group of users. Workstation objects are used by the 0S/400 Graphical Operations program.

Authority can be given to:

When AUT(*AUTL) is specified, the user can specify the authority for:

This command can be used by an object owner, by the security officer, or by a user with object management authority for the specified object.

 

Restrictions

  1. A user must be either the owner of the object or have *ALL authority to use the AUTL parameter.

  2. The user must have object management authority to the object to grant authority to the object.

  3. AUT(*AUTL) can be specified only with USER(*PUBLIC). User profile names cannot be secured by an authorization list (*AUTL).

  4. Only the owner of the object, or someone with all object authority (*ALLOBJ), can grant object management authority to a user.

 

Required Parameters

WSOTYPE
Specifies the name of the workstation object for which specific authorities are given to one or more users or to an authorization list.

The special values for this parameter are described in the following table.

Special Value Workstation Objects
*TPLWRKARA Work area template
*WRKARA Work area objects
*TPLPRTOL Printer output list template
*PRTOL Printer output list objects
*TPLTPRTL Printer list template
*PRTL Printer list objects
*TPLOUTQ Output queue template
*TPLOUTQL Output queue list template
*OUTQL Output queue list objects
*TPLJOBL Job list template
*JOBL Job list objects
*TPLJOBQ Job queue template
*TPLJOBLOG Job log template
*JOBLOG Job log objects
*TPLJOBQL Job queue list template
*JOBQL Job queue list objects
*TPLMSGL Message list template
*MSGL Message list objects
*TPLMSGQ Message queue template
*TPLMSGSND Message sender template
*MSGSND Message sender
*TPLSGNUSL Signed-on user list template
*SGNUSL Signed-on user list objects
*TPLOBJL Object list template
*OBJL Object list objects
*TPLLIBSL Library list template
*LIBSL Library list objects
*TPLLIB Library template
*TPLLAUNCH Job submitter template
*LAUNCH Job submitter objects
*PRSSET Personal setting objects

USER
Specifies the user profile names of one or more users to whom authorities for the named object are being given. If user names are specified, the authorities are given specifically to those users. Authority given by this command can be revoked specifically by the Revoke Workstation Object Authority (RVKWSOAUT) command.

*PUBLIC: All users of the system, who do not have authority specifically given to them for the object, who are not on the authorization list, whose user group does not have any authority, or whose user group is not on the authorization list, are authorized to use the object as specified on the AUT parameter.

user-profile-name: Specify the user profile names of one or more users who have specific authority for the object. A maximum of 50 user profile names can be specified.

AUTL
Specifies the name of the authorization list whose members are given authority for the object specified on the WSOTYPE parameter.

REFWSO
Specifies the name of the workstation object being queried to obtain authorization information. Those authorizations are given to the object specified on the WSOTYPE parameter. Users authorized to the referenced object are authorized in the same manner to the object for which authority is being given. If the referenced object is secured by an authorization list, that authorization list secures the object specified on the WSOTYPE parameter. Specify the name of the object.

 

Optional Parameters

AUT
Specifies the authority given to users specified on the USER parameter. Users must have *AUTLMGT authority to manage the authorization list.

*CHANGE: The user can perform all operations on the object except those limited to the owner or controlled by object existence authority and object management authority. The user can change and perform basic functions on the object. Change authority provides object operational authority and all data authority.

*ALL: The user can perform all operations except those limited to the owner or controlled by authorization list management authority. The user can control the object's existence, specify the security for the object, change the object, and perform basic functions on the object. The user also can change ownership of the workstation object.

*USE: The user can perform basic operations on the workstation object, such as running a program or reading a file. The user cannot change the workstation object. *USE authority provides object operational authority, read authority, and execute authority.

*EXCLUDE: The user cannot access the workstation object.

*AUTL: The public authority of the authorization list specified on the AUTL parameter is used for the public authority for the object.

A maximum of ten of the following values can be specified:

*OBJALTER: Object alter authority provides the authority needed to alter the attributes of an object. If the user has this authority on a database file, the user can add and remove triggers, add and remove referential and unique constraints, and change the attributes of the database file. If the user has this authority on an SQL package, the user can change the attributes of the SQL package. This authority is currently only used for database files and SQL packages.

*OBJEXIST: Object existence authority provides the authority to control the object's existence and ownership. This authority is necessary for users who want to delete the object, free storage of the object, perform save and restore operations for the object, or transfer ownership of the object. (If a user has special save system authority (*SAVSYS), object existence authority is not required.) Object existence authority is required to create an object that has been named by an authority holder.

*OBJMGT: Object management authority provides the authority to specify the security for the object, move or rename the object, and add members to database files.

*OBJOPR: Object operational authority provides authority to look at the description of an object and use the object, as determined by the data authorities that the user has to the object.

*OBJREF: Object reference authority provides the authority needed to reference an object from another object such that operations on that object may be restricted by the other object. If the user has this authority on a physical file, the user can add referential constraints in which the physical file is the parent. This authority is currently only used for database files.

*ADD: Add authority provides the authority to add entries to an object (for example, job entries to a queue or records to a file).

*DLT: Delete authority allows the user to remove entries from an object, for example, remove messages from a message queue or records from a file.

*EXECUTE: Execute authority provides the authority needed to run a program or to locate an object in a library.

*READ: Read authority provides the authority needed to get the contents of an entry in an object or to run a program.

*UPD: Update authority provides the authority needed to change the entries in an object.

Example for GRTWSOAUT 

GRTWSOAUT   WSOTYPE(*TPLWRKARA)  AUTL(KLIST)

This command gives authority to the work are template to the users with authority specified for them on the authorization list KLIST.

No error messages.