The Revoke Duplicate Authorizations command provides a method for
checking and revoking duplicate authorizations such as a specific
user has *CHANGE authority as well as the *PUBLIC user to the same
object. Group profiles and authorization lists are also considered.
By default only a check occurs which produces a listing (no
authorizations are changed).
There are two security requirements to run RVKDUPAUT because of the
way in which the system outputs information to be analyzed:
** You must have *ALLOBJ authority in your user profile to use
RVKDUPAUT. The function cannot be adopted or come from a
** You cannot be a member of a group. Your profile must be
A typical command would be:
Several defaults occur:
** All objects of all types would be checked in the named
** Only a 'check' would occur and a listing produced (no
authorizations would be changed).
** One line would be printed for the *PUBLIC user of each object.
** One line would be printed for each duplicate that would be
revoked if OPTION(*REVOKE) had been specified.
After reviewing the listing, you can revoke the same authorizations
RVKDUPAUT OBJ(xxx/*ALL) OPTION(*REVOKE)
A similar listing would occur with the authorizations that were
revoked being flagged.
Processing will fail if it lock types such as *EXCL exist on the
objects being processed. Commands such as DSPOBJAUT and RVKOBJAUT
must be allowed to operate successfully.
Duplicate authorization checking
The owner record is not considered. The owner will typically have
all authorities to the object. The owner record will not print
unless PRTDETAIL(*ALL) is specified.
For each object, the authorizations to the object are checked and the
user record would be flagged if:
** The user is authorized to the object and has the same
authorizations as the *PUBLIC user.
** The user is a member of a group and the group profile is also
authorized to the object with the same authorizations as the
If the object is controlled by an authorization list (*AUTL) and the
*PUBLIC user to the object is *AUTL, the following would be flagged:
** If the user authorization to the object is the the same as the
*PUBLIC user of the *AUTL.
** If the user has the same authorizations for the object and the
** If the user is a member of a group and the user has the same
authorizations to the object as the group profile does to the
Supplemental group profiles
Supplemental group profiles for the user are considered.
For example, if the the user is a member of two groups and both the
user and his group profiles are authorized to the same object, both
group profile authorizations would be checked for duplicate
If an object is controlled by an authorization list, the checking
occurs as described previously. However, duplicates within the
authorization list are not checked by checking an object.
For example, if a user and the *PUBLIC authority are the same on an
authorization list, no flag would occur by checking an object that
was completely controlled by the authorization list.
However, you can specify that the *AUTL objects be checked such as:
RVKDUPAUT OBJ(QSYS/*ALL) OBJTYPE(*AUTL)
RVKOBJAUT escape messages you can monitor for
None. Escape messages from based on functions will be re-sent.
Command parameters *CMD
OBJ The qualified name of the object to check. A
generic object name or the special value *ALL may be
A library name must be entered. The special value
*LIBL may be entered if *ALL was not specified for
the object. *CURLIB may also be used for the
OBJTYPE The object type to be checked. The default is *ALL.
For a list of the supported object types, use the
OPTION The option to be used. The default is *CHECK
meaning that no authorizations are changed and a
listing is output.
*REVOKE may be specified to revoke the duplicate
authorizations. Only the duplicate authorizations
to the object are revoked. If the object is
controlled by an authorization list and there is a
duplicate between the object's authorizations and
the authorization list's authorizations, only the
object's duplicate authorizations are revoked (the
authorizations to the authorization list are never
Duplicates within the authorization list itself are
not checked if an object controlled by an
authorization list is specified. You can check and
revoke duplicate authorizations to an *AUTL object
by specifying the object type of *AUTL.
PRTPUBLIC An option for whether the *PUBLIC user of each
object will always be listed. The default is *ALL
to list the *PUBLIC user. This provides at least
one line per object.
*DUP may be specified to list the *PUBLIC user for
only those objects which have duplicates.
PRTDETAIL An option for whether to print the duplicate user
authorizations (not the *PUBLIC). The default is
*DUP to only print a line for an authorized user if
duplicate authorities exist.
*ALL may be specified to print all users who are
** You must have *ALLOBJ special authority to use RVKDUPAUT. It
cannot be adopted or come from a group profile.
** You cannot be a member of a group. Your profile must be
** Processing will fail if it lock types such as *EXCL exist on
the objects being processed. The internal use of commands
such as DSPOBJAUT and RVKOBJAUT must be allowed to operate
The following TAA Tools must be on your system:
EDTVAR Edit variable
RSNLSTMSG Resend last message
RTVOBJD2 Retrieve object description 2
RTVSPCAUT Retrieve special authority
RTVSYSVAL3 Retrieve system value 3
SNDCOMPMSG Send completion message
SNDESCINF Send escape information
SNDESCMSG Send escape message
SNDSTSCNT Send status count
SNDSTSMSG Send status message
None, the tool is ready to use.
Objects used by the tool
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
RVKDUPAUT *CMD TAASEGI QATTCMD
TAASEGIC *PGM CLP TAASEGIC QATTCL
TAASEGIC2 *PGM CLP TAASEGIC2 QATTCL
TAASEGIC3 *PGM CLP TAASEGIC3 QATTCL
TAASEGIR *PGM RPG TAASEGIR QATTRPG
TAASEGIR2 *PGM RPG TAASEGIR2 QATTRPG
TAASEGIP *FILE PF TAASEGIP QATTDDS
TAASEGIS *FILE PF TAASEGIS QATTDDS
The TAASEGIP and TAASEGIS files are keyed versions of the DSPOBJAUT
outfile (model file is QAOBJAUT). The same format (QSYDSAUT) is used
for both. TAASEGIP holds the authorizations for all objects
specified. TAASEGIS holds the authorizations for an authorization
list for any object specified.
TAASEGIC CL pgm
TAASEGIC3 CL Pgm - does RVKOBJAUT
TAASEGIR RPG Pgm
TAASEGIR2 RPG Pgm - Checks for groups, *AUTL etc
TAASEGIC2 CL - does RTVUSRPRF and DSPOBJAUT of *AUTL