TAA Tools

The  DSPUSRAUT command  has  mostly  been  replaced by  the  DSPUSRAUT2
command.    You  should try  DSPUSRAUT2  first  which  uses  an API  to
determine  whether a  user is authorized.   There  are some differences
between the two tools.

The Display User  Authority command lets  you review authorizations  by
combining  the  individual  object   authorities,  group  profiles  and
authorization  lists.  The intent is to  duplicate the type of checking
performed by the  system so  that you  can ask the  following types  of

       Who can update FILEA?

       What can USERX do to the objects in LIBY?

       What can *PUBLIC do to the objects in LIBZ?

The authorization checking includes:

     - Object authorizations

     - Authorization list authorizations

     - Group profile authorizations

     - *ALLOBJ authority checking

     - Library authority (it is printed also)

DSPUSRAUT does not consider:

     - The use of program adopt - USRPRF(*OWNER)

     - Authority holders

     - Dynamic switching of  group profiles (The system only supports a
       single group profile at  a time, but it is possible to switch in
       the middle of a job - See the TAA tool CHGGRPPRF)

There are three commands provided:

   CVTUSRAUT     Lets you  specify what authority environment  you want
                 to capture.   For example, it could  be all objects in
                 one or  several  libraries.    The  output  from  this
                 command is  a data  base file  (USRAUTP) that is  used
                 by DSPUSRAUT.   The data  base file also  includes one
                 record for each user profile on the system.

                 CVTUSRAUT  is  a long  running  command and  should be
                 submitted to  batch.   If  you  name large  libraries,
                 the command will take even longer.

                 A typical command would be:


                 This  would  result in  all  the  authorities for  all
                 objects  in the 3 named  libraries being captured into
                 the USRAUTP file in library LIB1.

   DSPUSRAUT     Lets you display the  authorities that are in  USRAUTP
                 and provides  many different  selection criteria.   It
                 would  be  typical  to  use  DSPUSRAUT  several  times
                 before refreshing the USRAUTP file with CVTUSRAUT.

                 A typical command would be:


                 A display  would appear  with all  of the  information
                 about  the  user  JONES for  the  objects  in  library
                 LIBX.   Any objects owned by JONES  would be excluded.
                 Any   objects  that  JONES  could  access  because  of
                 public authority  would be  shown in  addition to  any
                 that JONES had direct authority to.

                 If JONES is  a member of a group,  his authority would
                 still   be  shown   if  the  group   was  specifically
                 authorized.  If JONES is  excluded from an object,  it
                 would also be shown.

                 If JONES  had a specific  authority to the  object and
                 the  object was also secured  by an authorization list
                 where JONES has explicit authority  or is a member  of
                 a  group  that   has  authority,  only   the  explicit
                 authorization  to the  object  would be  shown.   This
                 reflects   the  way   the  system   performs  security
                 checking  (The first  authorization  found  determines
                 authority based on a sequence of checks).

                 Similarly,  if JONES  was authorized  to *USE  and the
                 public  is  authorized  to  *CHANGE,  JONES  may  only
                 'use' the object and this is what will be shown.

                 A -- indication appears to  the left of the  authority
                 description  for   the  *PUBLIC  user  if   a  private
                 authority  is less than  the *PUBLIC  authority.  This
                 is inefficient from  a authority checking  performance
                 viewpoint and should be avoided if you can.

                 An  outfile option  may be  specified  to capture  the
                 information  as it  appears on  the  report in  a data
                 base  file.   This  would  normally be  used  with the
                 CMPUSRAUT command.

   CMPUSRAUT     Compares  the  output  from  two  different   uses  of
                 DSPUSRAUT to an outfile.

                 The  intent of CMPUSRAUT  is to  allow you  to capture
                 the  security  environment  at one  point  and  make a
                 thorough  review  with  DSPUSRAUT.    Then  using  the
                 DSPUSRAUT   OUTFILE  option   you   can  capture   the
                 information  in a  data base  file  as it  appeared on
                 the DSPUSRAUT printout.   At  a later  point you  want
                 to  determine the  changes that  have  occurred.   You
                 need  to  run  CVTUSRAUT  and  then  DSPUSRAUT  to  an
                 OUTFILE   again.    CMPUSRAUT  can  then  be  used  by
                 specifying   the  two   different   outfiles   and   a
                 differences report will be printed.

                 The report  will print one  line per object.   It will
                 note  new objects,  ownership changes,  authority list
                 changes, new grants that  have occurred, revokes  that
                 have  occurred and  changes  to previously  authorized

                 Any  changes  to  the  authority  environment are  not
                 reflected until CVTUSRAUT is run again.

                 A typical command would be:

                    CMPUSRAUT   FROMUSRAUT(xxx) TOUSRAUT(yyy)

Auditing review

An auditor may  want to  periodically review  the authorizations  using
DSPUSRAUT.   A  reasonable  technique  would  be to  use  the  multiple
member capability of the USRAUTP file for each environment needed.

For  example, assume  you  have 5  different application  areas.   Each
area  may involve several  libraries.  You could  use CVTUSRAUT 5 times
and name  each of the  application areas  to be stored  in a  different
member of USRAUTP such as:


The  Security  Officer  would   run  CVTUSRAUT  (*ALLOBJ  authority  is
needed) and then authorize the auditor to *USE of the USRAUTP file.

The  auditor can  then use DSPUSRAUT  and specify  the application area
to be reviewed such as:

                         USRAUTPLIB(LIB1) USRAUTPMBR(APP1)

CVTUSRAUT Command parameters                          *CMD

CVTUSRAUT is a long running  command and should be submitted to  batch.
It creates the USRAUTP file used by DSPUSRAUT.

   LIB           The library  or libraries  to be included.   Up  to 40
                 libraries  may be named  or the  special values *LIBL,
                 *USRLIBL, *CURLIB, *ALL, or *ALLUSR.

   OBJ           The generic object name to  be included.  The  default
                 is *ALL.   If a generic  name is desired, no  * should
                 be entered.

   OBJTYPE       A list  of object types  to be included.   *ALL is the
                 default.   Most  of the system  supported object types
                 may be  named  except for  *LIB and  *AUTL.   Use  the
                 command  prompt  for  a  full list  of  the  supported
                 types.    A  list of  up  to 10  object  types  may be

   OUTLIB        The library  for the  USRAUTP file.    The default  is
                 *LIBL.  A  library must be specified if  the file does
                 not exist.

   OUTMBR        The  member  for the  USRAUTP  file.   The  default is
                 USRAUTP.  If the member  does not exist, it is  added.
                 If the member exists, it is cleared.

DSPUSRAUT Command parameters                          *CMD

DSPUSRAUT  displays the  authorities  in  the  USRAUTP file  that  were
captured  by CVTUSRAUT.   Most of the  parameters on DSPUSRAUT  let you
subset  the amount of  information in the  output.  If  you take all of
the defaults, all authorities are shown.

   USER          The user to display  authorities for.  The default  is

   PUBLIC        Whether to  include the *PUBLIC user.   The default is

   AUT           The  authorization you want  to display.   The default
                 is *ANY meaning any  authorization is displayed.   You
                 may  also specify  *USE, *CHANGE,  *ALL, or  *EXCLUDE.
                 You  may  also  request the  specific  Object  or Data
                 rights (See later parameters).

   LIB           The library  to  be included.    The default  is  *ALL
                 which means all  libraries found in the  USRAUTP file.

   OBJ           The generic  object name to be included.   The default
                 is  *ALL.  A generic name  should be entered without a
                 trailing *.

   OBJTYPE       The  object type  to  be  included.   The  default  is

   OWNED         Whether  to include  owned  objects.   The default  is
                 *INCLUDE.    You  may  also  specify  *OMIT or  *ONLY.
                 Specifying OWNED(*OMIT)  is usually  a good  technique
                 for reducing the  amount of information you  will need
                 to review.

   USRAUTPLIB    The   library  for   the   USRAUTP  file   created  by
                 CVTUSRAUT.  The default is *LIBL.

   USRAUTPMBR    The member of the USRAUTP  file to be processed.   The
                 default is *FIRST.

   OBJOPR        Whether to  include only those  records that  have the
                 Object  Operational   right.    The   default  is  *NO
                 meaning  the  records  are always  included.    If you
                 specify *YES, no record  will be displayed unless  the
                 user has the Object Operational right.

                 The  other Object and  Data rights  work in  a similar

                 If  you  specify any  of  the Object  or  Data rights,
                 AUT(*ANY) must be used.

                 If you specify  multiple rights  such as  Obj Mgt  and
                 Read, you will  see only those records  that meet both

   OBJMGT        Whether  to include only  those records  that have the
                 Object Management right.

   OBJEXS        Whether to include  only those records  that have  the
                 Object Existence right.

   READ          Whether to  include only those  records that  have the
                 Read Data right.

   ADD           Whether  to include only  those records that  have the
                 Add Data right.

   UPD           Whether  to include  only those records  that have the
                 Update Data right.

   DLT           Whether to  include only those  records that have  the
                 Delete Data right.

   OUTPUT        The   standard  OUTPUT   parameter   for  display   or
                 printing.   *  is the  default.   *PRINT may  be used.
                 *OUTFILE is also supported.

   OUTFILE       The name of the outfile to  be used.  The name of  the
                 model outfile  used is TAASECNS  in TAATOOL.   It uses
                 a  format  name of  USRAUT.   The  records  which will
                 exists in  the  file are  a  duplicate of  what  would
                 appear in  the detail portion  of the  printed output.

                 The intent  of the outfile  parameter is to  allow for
                 some  unique processing to  occur with the information

                 The outfile  will be  owned  by the  user running  the
                 DSPUSRAUT  command that  creates the  file.   The file
                 will  be private.   You  may authorize other  users to
                 the file.

                 The outfile  is not  the same  as  USRAUTP.   Although
                 many  of the  field names  are the  same, the  records
                 which  exist  will  differ.   USRAUTP  is  an internal
                 file and is not designed for application use.

   OUTMBR        The standard OUTMBR  option for outfiles.   This is  a
                 list with the  default of *FIRST member  and *REPLACE.
                 You  may specify a  unique member  name and  also *ADD
                 for adding records to an existing member.

CMPUSRAUT Command parameters                          *CMD

CMPUSRAUT   compares  two  different  uses  of  the  DSPUSRAUT  OUTFILE
option.  This  allows you to determine  the changes that have  occurred
during the two uses of DSPUSRAUT.

Normally, you  would run DSPUSRAUT without any  selection criteria (all
defaults) and specify an OUTFILE.

Any  new objects are shown.   Any changes in  ownership, authority list
or individual authorizations  are shown.  Any  deleted objects are  not

   FROMUSRAUT    The FROM  file to  be compared.   This  should be  the
                 same  file you specified  on the  OUTFILE parameter of
                 DSPUSRAUT.  A  qualified name  is used.   The  library
                 defaults to  *LIBL.   The FROMFILE  would normally  be
                 the oldest file (oldest use of DSPUSRAUT).

   TOUSRAUT      The TO  file to be compared.  This  should be the same
                 file   you  specified  on  the  OUTFILE  parameter  of
                 DSPUSRAUT.   A qualified name  is used.   The  library
                 defaults  to *LIBL.   The  TO file  would  normally be
                 the newest use of DSPUSRAUT.

   FROMMBR       The  member in  the  FROMUSRAUT file.   *FIRST  is the

   TOMBR         The member  in  the  TOUSRAUT  file.   *FIRST  is  the

   SELLIB        The name of  the library be be selected.   The default
                 is  *ALL meaning  all libraries found  in the  TO file
                 will appear in the report.

   SELOBJ        The generic name of the  objects to be selected.   The
                 default is *ALL.   The generic name should  be entered
                 without an *.

   SELOBJTYPE    The  object  type to  be  selected.    The default  is

   PRTFILE       The  printer  file to  use.   QPRINT  in *LIBL  is the


  **   The information  supplied by  DSPUSRAUT  is only  as current  as
       the last use of CVTUSRAUT.

  **   The program adopt function is not included.

  **   Authority holders are not included.

  **   Multiple user profiles are not supported.

  **   Multiple  USRAUTP  members  cannot  be combined  together  using
       CPYF.   All output from DSPUSRAUT must  occur from a member that
       was created from a single CVTUSRAUT command.

  **   The object types *LIB and  *AUTL are special cased by  DSPUSRAUT
       and cannot  be specified on CVTUSRAUT.   If the QSYS  library is
       processed,  these object types  are removed (they  are picked up
       later with  special processing).    For any  library  converted,
       the  library   authority  is  always   shown  as  well   as  any
       authorization lists used by the objects.

  **   CMPUSRAUT  compares  using the  TO  file  as a  base.   Any  new
       objects  are shown, but any objects  that only exist in the FROM
       file are not shown.


The following TAA Tools must be on your system:

     CHKGENERC    Check generic
     EDTVAR       Edit variable
     RTVDAT       Retrieve date
     SCNVARRGT    Scan variable right
     SNDCOMPMSG   Send completion message
     SNDESCMSG    Send escape message
     SNDSTSMSG    Send status message
     SORTDB       Sort data base file


None, the tool is ready to use.

Objects used by the tool

   Object        Type        Attribute      Src member    Src file
   ------        ----        ---------      ----------    ----------

   DSPUSRAUT     *CMD                       TAASECN       QATTCMD
   CVTUSRAUT     *CMD                       TAASECN2      QATTCMD
   CMPUSRAUT     *CMD                       TAASECN4      QATTCMD
   TAASECNC      *PGM           CLP         TAASECNC      QATTCL
   TAASECNC2     *PGM           CLP         TAASECNC2     QATTCL
   TAASECNC3     *PGM           CLP         TAASECNC3     QATTCL
   TAASECNC4     *PGM           CLP         TAASECNC4     QATTCL
   TAASECNR      *PGM           RPG         TAASECNR      QATTRPG
   TAASECNR2     *PGM           RPG         TAASECNR2     QATTRPG
   TAASECNR3     *PGM           RPG         TAASECNR3     QATTRPG
   TAASECNR4     *PGM           RPG         TAASECNR4     QATTRPG
   TAASECNP      *FILE          PF          TAASECNP      QATTDDS
   TAASECNS      *FILE          PF          TAASECNS      QATTDDS
   TAASECNT      *FILE          PF          TAASECNT      QATTDDS
   TAASECNU      *FILE          PF          TAASECNU      QATTDDS


         TAASECNP   PF
         TAASECNT   PF



Added to TAA Productivity tools April 1, 1995

Home Page Up to Top