RVKDUPAUT -- Revoke Duplicate Authorizations

RVKDUPAUT REVOKE DUPLICATE AUTHORIZATIONS TAASEGI
The Revoke Duplicate Authorizations command provides a method for checking and revoking duplicate authorizations such as a specific user has CHANGE authority as well as the PUBLIC user to the same object. Group profiles and authorization lists are also considered. By default only a check occurs which produces a listing (no authorizations are changed). There are two security requirements to run RVKDUPAUT because of the way in which the system outputs information to be analyzed: ** You must have ALLOBJ authority in your user profile to use RVKDUPAUT. The function cannot be adopted or come from a group profile. * You cannot be a member of a group. Your profile must be GRPPRF(NONE). A typical command would be: RVKDUPAUT OBJ(xxx/ALL) Several defaults occur: All objects of all types would be checked in the named library. Only a 'check' would occur and a listing produced (no authorizations would be changed). ** One line would be printed for the PUBLIC user of each object. * One line would be printed for each duplicate that would be revoked if OPTION(REVOKE) had been specified. After reviewing the listing, you can revoke the same authorizations by entering: RVKDUPAUT OBJ(xxx/ALL) OPTION(REVOKE) A similar listing would occur with the authorizations that were revoked being flagged. Processing will fail if it lock types such as EXCL exist on the objects being processed. Commands such as DSPOBJAUT and RVKOBJAUT must be allowed to operate successfully. Duplicate authorization checking -------------------------------- The owner record is not considered. The owner will typically have all authorities to the object. The owner record will not print unless PRTDETAIL(ALL) is specified. For each object, the authorizations to the object are checked and the user record would be flagged if: * The user is authorized to the object and has the same authorizations as the PUBLIC user. * The user is a member of a group and the group profile is also authorized to the object with the same authorizations as the user. If the object is controlled by an authorization list (AUTL) and the PUBLIC user to the object is AUTL, the following would be flagged: * If the user authorization to the object is the the same as the PUBLIC user of the AUTL. If the user has the same authorizations for the object and the authorization list. If the user is a member of a group and the user has the same authorizations to the object as the group profile does to the AUTL. Supplemental group profiles --------------------------- Supplemental group profiles for the user are considered. For example, if the the user is a member of two groups and both the user and his group profiles are authorized to the same object, both group profile authorizations would be checked for duplicate authorizations. Authorization lists ------------------- If an object is controlled by an authorization list, the checking occurs as described previously. However, duplicates within the authorization list are not checked by checking an object. For example, if a user and the PUBLIC authority are the same on an authorization list, no flag would occur by checking an object that was completely controlled by the authorization list. However, you can specify that the AUTL objects be checked such as: RVKDUPAUT OBJ(QSYS/ALL) OBJTYPE(AUTL) RVKOBJAUT escape messages you can monitor for --------------------------------------------- None. Escape messages from based on functions will be re-sent. Command parameters CMD ------------------ OBJ The qualified name of the object to check. A generic object name or the special value ALL may be specified. A library name must be entered. The special value LIBL may be entered if ALL was not specified for the object. CURLIB may also be used for the library name. OBJTYPE The object type to be checked. The default is ALL. For a list of the supported object types, use the prompter. OPTION The option to be used. The default is CHECK meaning that no authorizations are changed and a listing is output. REVOKE may be specified to revoke the duplicate authorizations. Only the duplicate authorizations to the object are revoked. If the object is controlled by an authorization list and there is a duplicate between the object's authorizations and the authorization list's authorizations, only the object's duplicate authorizations are revoked (the authorizations to the authorization list are never changed). Duplicates within the authorization list itself are not checked if an object controlled by an authorization list is specified. You can check and revoke duplicate authorizations to an AUTL object by specifying the object type of AUTL. PRTPUBLIC An option for whether the PUBLIC user of each object will always be listed. The default is ALL to list the PUBLIC user. This provides at least one line per object. DUP may be specified to list the PUBLIC user for only those objects which have duplicates. PRTDETAIL An option for whether to print the duplicate user authorizations (not the PUBLIC). The default is DUP to only print a line for an authorized user if duplicate authorities exist. ALL may be specified to print all users who are authorized. Restrictions ------------ * You must have ALLOBJ special authority to use RVKDUPAUT. It cannot be adopted or come from a group profile. * You cannot be a member of a group. Your profile must be GRPPRF(NONE). * Processing will fail if it lock types such as EXCL exist on the objects being processed. The internal use of commands such as DSPOBJAUT and RVKOBJAUT must be allowed to operate successfully. Prerequisites ------------- The following TAA Tools must be on your system: EDTVAR Edit variable RSNLSTMSG Resend last message RTVOBJD2 Retrieve object description 2 RTVSPCAUT Retrieve special authority RTVSYSVAL3 Retrieve system value 3 SNDCOMPMSG Send completion message SNDESCINF Send escape information SNDESCMSG Send escape message SNDSTSCNT Send status count SNDSTSMSG Send status message Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- RVKDUPAUT CMD TAASEGI QATTCMD TAASEGIC PGM CLP TAASEGIC QATTCL TAASEGIC2 PGM CLP TAASEGIC2 QATTCL TAASEGIC3 PGM CLP TAASEGIC3 QATTCL TAASEGIR PGM RPG TAASEGIR QATTRPG TAASEGIR2 PGM RPG TAASEGIR2 QATTRPG TAASEGIP FILE PF TAASEGIP QATTDDS TAASEGIS FILE PF TAASEGIS QATTDDS The TAASEGIP and TAASEGIS files are keyed versions of the DSPOBJAUT outfile (model file is QAOBJAUT). The same format (QSYDSAUT) is used for both. TAASEGIP holds the authorizations for all objects specified. TAASEGIS holds the authorizations for an authorization list for any object specified. Structure --------- RVKDUPAUT Cmd TAASEGIC CL pgm TAASEGIC3 CL Pgm - does RVKOBJAUT TAASEGIR RPG Pgm TAASEGIR2 RPG Pgm - Checks for groups, AUTL etc TAASEGIC2 CL - does RTVUSRPRF and DSPOBJAUT of *AUTL

RVKDUPAUT       REVOKE DUPLICATE AUTHORIZATIONS        TAASEGI


The  Revoke Duplicate  Authorizations  command  provides a  method  for
checking  and  revoking duplicate  authorizations  such  as a  specific
user  has *CHANGE  authority as  well as the  *PUBLIC user  to the same
object.  Group  profiles and authorization  lists are also  considered.
By  default  only   a  check  occurs  which  produces   a  listing  (no
authorizations are changed).

There  are two  security requirements to  run RVKDUPAUT  because of the
way in which the system outputs information to be analyzed:

  **   You must  have *ALLOBJ  authority in  your user  profile to  use
       RVKDUPAUT.   The  function  cannot be  adopted  or  come from  a
       group profile.

  **   You  cannot  be a  member  of a  group.   Your  profile  must be
       GRPPRF(*NONE).

A typical command would be:

             RVKDUPAUT   OBJ(xxx/*ALL)

Several defaults occur:

  **   All  objects  of  all  types  would  be  checked  in  the  named
       library.

  **   Only  a  'check'   would  occur  and  a  listing   produced  (no
       authorizations would be changed).

  **   One line  would be printed for the *PUBLIC  user of each object.

  **   One  line  would be  printed for  each  duplicate that  would be
       revoked if OPTION(*REVOKE) had been specified.

After reviewing  the listing,  you can revoke  the same  authorizations
by entering:

             RVKDUPAUT   OBJ(xxx/*ALL) OPTION(*REVOKE)

A  similar  listing  would  occur  with the  authorizations  that  were
revoked being flagged.

Processing  will fail  if  it lock  types such  as  *EXCL exist  on the
objects being  processed.   Commands such  as  DSPOBJAUT and  RVKOBJAUT
must be allowed to operate successfully.

Duplicate authorization checking
--------------------------------

The owner  record is  not considered.   The  owner will typically  have
all  authorities  to the  object.    The owner  record  will  not print
unless PRTDETAIL(*ALL) is specified.

For each object, the authorizations to  the object are checked and  the
user record would be flagged if:

  **   The  user  is  authorized  to  the  object   and  has  the  same
       authorizations as the *PUBLIC user.

  **   The user  is a member of  a group and the group  profile is also
       authorized  to the  object with  the same  authorizations as the
       user.

If the object  is controlled by an  authorization list (*AUTL) and  the
*PUBLIC user to the object is *AUTL, the following would be flagged:

  **   If the user  authorization to the object is the  the same as the
       *PUBLIC user of the *AUTL.

  **   If  the user has the same authorizations  for the object and the
       authorization list.

  **   If the user is  a member of  a group and  the user has the  same
       authorizations to  the object as the  group profile does  to the
       *AUTL.

Supplemental group profiles
---------------------------

Supplemental group profiles for the user are considered.

For  example, if the the  user is a  member of two groups  and both the
user and his  group profiles are  authorized to the  same object,  both
group   profile  authorizations   would   be  checked   for   duplicate
authorizations.

Authorization lists
-------------------

If  an object  is  controlled by  an authorization  list,  the checking
occurs  as  described  previously.    However,  duplicates  within  the
authorization list are not checked by checking an object.

For example, if  a user and  the *PUBLIC authority  are the same  on an
authorization  list, no  flag would  occur by  checking an  object that
was completely controlled by the authorization list.

However, you can specify that the *AUTL objects be checked such as:

            RVKDUPAUT    OBJ(QSYS/*ALL) OBJTYPE(*AUTL)

RVKOBJAUT escape messages you can monitor for
---------------------------------------------

None.  Escape messages from based on functions will be re-sent.

Command parameters                                    *CMD
------------------

   OBJ           The  qualified  name  of  the  object  to  check.    A
                 generic object name or the  special value *ALL may  be
                 specified.

                 A library  name must  be entered.   The special  value
                 *LIBL  may be  entered if *ALL  was not  specified for
                 the  object.    *CURLIB  may  also  be  used  for  the
                 library name.

   OBJTYPE       The object type to  be checked.  The default  is *ALL.
                 For  a list  of the  supported  object types,  use the
                 prompter.

   OPTION        The  option  to  be  used.    The  default  is  *CHECK
                 meaning  that no  authorizations  are  changed  and  a
                 listing is output.

                 *REVOKE  may  be  specified  to revoke  the  duplicate
                 authorizations.    Only  the  duplicate authorizations
                 to  the  object  are  revoked.    If  the  object   is
                 controlled by  an authorization  list and  there is  a
                 duplicate  between  the  object's  authorizations  and
                 the  authorization  list's  authorizations,  only  the
                 object's  duplicate authorizations  are  revoked  (the
                 authorizations  to the  authorization  list  are never
                 changed).

                 Duplicates  within the  authorization list  itself are
                 not   checked   if  an   object   controlled   by   an
                 authorization list  is specified.   You can  check and
                 revoke  duplicate  authorizations to  an  *AUTL object
                 by specifying the object type of *AUTL.

   PRTPUBLIC     An  option  for  whether  the  *PUBLIC  user  of  each
                 object will  always be  listed.   The default is  *ALL
                 to  list the  *PUBLIC user.    This provides  at least
                 one line per object.

                 *DUP may be  specified to  list the  *PUBLIC user  for
                 only those objects which have duplicates.

   PRTDETAIL     An  option for  whether to  print  the duplicate  user
                 authorizations  (not  the *PUBLIC).    The default  is
                 *DUP  to only print  a line for  an authorized user if
                 duplicate authorities exist.

                 *ALL may  be  specified to  print  all users  who  are
                 authorized.

Restrictions
------------

  **   You must  have *ALLOBJ special  authority to use RVKDUPAUT.   It
       cannot be adopted or come from a group profile.

  **   You  cannot  be a  member  of a  group.   Your  profile  must be
       GRPPRF(*NONE).

  **   Processing will fail  if it lock  types such as  *EXCL exist  on
       the  objects being  processed.   The  internal  use of  commands
       such  as  DSPOBJAUT and  RVKOBJAUT  must be  allowed  to operate
       successfully.

Prerequisites
-------------

The following TAA Tools must be on your system:

     EDTVAR          Edit variable
     RSNLSTMSG       Resend last message
     RTVOBJD2        Retrieve object description 2
     RTVSPCAUT       Retrieve special authority
     RTVSYSVAL3      Retrieve system value 3
     SNDCOMPMSG      Send completion message
     SNDESCINF       Send escape information
     SNDESCMSG       Send escape message
     SNDSTSCNT       Send status count
     SNDSTSMSG       Send status message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   RVKDUPAUT     *CMD                   TAASEGI       QATTCMD
   TAASEGIC      *PGM       CLP         TAASEGIC      QATTCL
   TAASEGIC2     *PGM       CLP         TAASEGIC2     QATTCL
   TAASEGIC3     *PGM       CLP         TAASEGIC3     QATTCL
   TAASEGIR      *PGM       RPG         TAASEGIR      QATTRPG
   TAASEGIR2     *PGM       RPG         TAASEGIR2     QATTRPG
   TAASEGIP      *FILE      PF          TAASEGIP      QATTDDS
   TAASEGIS      *FILE      PF          TAASEGIS      QATTDDS

The TAASEGIP and  TAASEGIS files  are keyed versions  of the  DSPOBJAUT
outfile (model file is  QAOBJAUT).  The same format  (QSYDSAUT) is used
for  both.     TAASEGIP  holds  the  authorizations   for  all  objects
specified.    TAASEGIS holds  the  authorizations for  an authorization
list for any object specified.


Structure
---------

RVKDUPAUT   Cmd
   TAASEGIC   CL pgm
     TAASEGIC3  CL Pgm  - does RVKOBJAUT
     TAASEGIR   RPG Pgm
       TAASEGIR2   RPG Pgm - Checks for groups, *AUTL etc
          TAASEGIC2   CL - does RTVUSRPRF and DSPOBJAUT of *AUTL

Added to TAA Productivity tools September 1, 2004

Home Page

Up to Top