The Retrieve Object Authority command provides an interface to the
QSYRUSRA API. It allows return variables to be specified in a
program to determine if the user is authorized to an object. Both
individual authority, group profile adopt, and program adopt are
considered. The RTVOBJAUT allows you to determine which authority is
being used.
A typical command would be entered as:
DCL &OBJAUT *CHAR LEN(10)
.
RTVOBJAUT OBJ(xxx) OBJTYPE(yyy) OBJAUT(&OBJAUT)
IF (&OBJAUT *EQ '*CHANGE') DO
You can return one or more variables on each use of RTVOBJAUT.
Most of the return variables are for a single byte of information
which will contain X or 'blank' depending on whether the 'object
right' (e.g. OBJOPR) or the 'data right' (e.g. UPD) is specified.
You can also return information about adopted authority if the
program is running under a 'program adopt' environment.
The API returns Y/N values. These are translated to X/b values which
is more familiar to the external user.
************************************************
* *
* If the program is not in a 'program adopt' *
* environment, the return parameters for *
* the adopted authority (e.g. ADPDATAUPD) *
* will be returned as blanks. *
* *
************************************************
************************************************
* *
* If USER(*CURRENT) is not specified, the *
* return parameters for the adopted *
* authority (e.g. ADPDATAUPD) will be *
* returned as blanks even if the program *
* is running under an 'adopted authority'. *
* *
************************************************
Authority controlled by an Authorization List
---------------------------------------------
If authority is controlled by an Authorization List (*AUTL) and the
user has no specific authority to the object, the users authority to
the Authorization List is returned. For example, if you are checking
for *PUBLIC authority and *PUBLIC = *AUTL for the object, the *PUBLIC
authority from the Authorization List is returned.
Command parameters *CMD
------------------
OBJ The qualified object name. The library value
defaults to *LIBL. *CURLIB may also be specified.
OBJTYPE The object type. Any valid type may be entered.
USER The user profile to be checked. The default is
*CURRENT. *PUBLIC or a specific name may also be
entered. See the restrictions if you enter a value
other than *CURRENT.
USEAUT Does the user have at least *USE authority. This is
a simple Y/N field which has a Y if the user has at
least OBJOPR and READ rights. The user may have
other rights and the CHGAUT variable may also be a
Y.
CHGAUT Does the user have at least *CHANGE authority. This
is a simple Y/N field which has a Y if the user has
at least OBJOPR, READ, ADD, UPD, and DLT. The user
may have other rights.
The rest of the return variables are direct correlations with the
fields that exist on DSPOBJAUT and are not described here. They are
mostly obvious if you prompt for RTVOBJAUT. You may review the field
descriptions for the QSYRUSRA API if needed.
The following describes some detail which may not be obvious.
** The AUTHSRC variable returns a 2 byte value where the codes
are as follows:
UA The user has *ALLOBJ special authority
UO The user is privately authorized to the obj
UL The user is privately authorized to the
authorization list
GA The user's group has *ALLOBJ authority
GO The user's group is privately authorized
to the object
GL The user's group is privately authorized
to the authorization list
PO The user accesses the object through
the public authority
PL The user accesses the object through
the public authority of the authorization list
AD All of the authority that the user has
comes from adopted authority. This value
can only be returned if USER(*CURRENT) is
specified.
** The SOMEADP field is set to X or blank depending on whether
any adopted authorities are being used. It will only return a
X value if USER(*CURRENT) is is specified and the program is
in a 'program adopt' environment.
** The ADPxxx return variables provide the detail of what is
adopted if the program is operating in a 'program adopt'
environment. They will be blank if the program is not in a
'program adopt' environment. They will also be blank if
USER(*CURRENT) is not specified regardless of whether 'program
adopt' is used.
Assume a program is operating under 'program adopt' where the
owner has full authority. Assume the user of the program has
the 'data update' right, but not the 'data delete' right.
Both DATAUPD and DATADLT would be returned with X values
because 'program adopt' provides 'cumulative results'. Since
the user has 'data update', the ADPDATAUPD variable would be
returned as blank (the authority is coming from the user and
not the adopted profile). Since the user does not have 'data
delete', the ADPDATADLT variable would be returned as X.
Restrictions
------------
The API has a few restrictions if USER(*CURRENT) is not specified.
See the previous discussion for the setting of the ADPxxx return
values. For a complete list see the API description.
** If a specific user name is requested, the user must have
*OBJMGT authority to the object and *READ authority to the
user profile.
** If *PUBLIC is requested, the *PUBLIC must have *OBJMGT
authority to the object.
Prerequisites
-------------
The following TAA Tools must be on your system:
SNDESCMSG Send escape message
Implementation
--------------
None, the tool is ready to use.
Objects used by the tool
------------------------
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
RTVOBJAUT *CMD TAASECT QATTCMD
TAASECTC *PGM CLP TAASECTC QATTCL
|
