TAA Tools
RVKDUPAUT       REVOKE DUPLICATE AUTHORIZATIONS        TAASEGI

The  Revoke Duplicate  Authorizations  command  provides a  method  for
checking  and  revoking duplicate  authorizations  such  as a  specific
user  has *CHANGE  authority as  well as the  *PUBLIC user  to the same
object.  Group  profiles and authorization  lists are also  considered.
By  default  only   a  check  occurs  which  produces   a  listing  (no
authorizations are changed).

There  are two  security requirements to  run RVKDUPAUT  because of the
way in which the system outputs information to be analyzed:

  **   You must  have *ALLOBJ  authority in  your user  profile to  use
       RVKDUPAUT.   The  function  cannot be  adopted  or  come from  a
       group profile.

  **   You  cannot  be a  member  of a  group.   Your  profile  must be
       GRPPRF(*NONE).

A typical command would be:

             RVKDUPAUT   OBJ(xxx/*ALL)

Several defaults occur:

  **   All  objects  of  all  types  would  be  checked  in  the  named
       library.

  **   Only  a  'check'   would  occur  and  a  listing   produced  (no
       authorizations would be changed).

  **   One line  would be printed for the *PUBLIC  user of each object.

  **   One  line  would be  printed for  each  duplicate that  would be
       revoked if OPTION(*REVOKE) had been specified.

After reviewing  the listing,  you can revoke  the same  authorizations
by entering:

             RVKDUPAUT   OBJ(xxx/*ALL) OPTION(*REVOKE)

A  similar  listing  would  occur  with the  authorizations  that  were
revoked being flagged.

Processing  will fail  if  it lock  types such  as  *EXCL exist  on the
objects being  processed.   Commands such  as  DSPOBJAUT and  RVKOBJAUT
must be allowed to operate successfully.

Duplicate authorization checking
--------------------------------

The owner  record is  not considered.   The  owner will typically  have
all  authorities  to the  object.    The owner  record  will  not print
unless PRTDETAIL(*ALL) is specified.

For each object, the authorizations to  the object are checked and  the
user record would be flagged if:

  **   The  user  is  authorized  to  the  object   and  has  the  same
       authorizations as the *PUBLIC user.

  **   The user  is a member of  a group and the group  profile is also
       authorized  to the  object with  the same  authorizations as the
       user.

If the object  is controlled by an  authorization list (*AUTL) and  the
*PUBLIC user to the object is *AUTL, the following would be flagged:

  **   If the user  authorization to the object is the  the same as the
       *PUBLIC user of the *AUTL.

  **   If  the user has the same authorizations  for the object and the
       authorization list.

  **   If the user is  a member of  a group and  the user has the  same
       authorizations to  the object as the  group profile does  to the
       *AUTL.

Supplemental group profiles
---------------------------

Supplemental group profiles for the user are considered.

For  example, if the the  user is a  member of two groups  and both the
user and his  group profiles are  authorized to the  same object,  both
group   profile  authorizations   would   be  checked   for   duplicate
authorizations.

Authorization lists
-------------------

If  an object  is  controlled by  an authorization  list,  the checking
occurs  as  described  previously.    However,  duplicates  within  the
authorization list are not checked by checking an object.

For example, if  a user and  the *PUBLIC authority  are the same  on an
authorization  list, no  flag would  occur by  checking an  object that
was completely controlled by the authorization list.

However, you can specify that the *AUTL objects be checked such as:

            RVKDUPAUT    OBJ(QSYS/*ALL) OBJTYPE(*AUTL)

RVKOBJAUT escape messages you can monitor for
---------------------------------------------

None.  Escape messages from based on functions will be re-sent.

Command parameters                                    *CMD
------------------

   OBJ           The  qualified  name  of  the  object  to  check.    A
                 generic object name or the  special value *ALL may  be
                 specified.

                 A library  name must  be entered.   The special  value
                 *LIBL  may be  entered if *ALL  was not  specified for
                 the  object.    *CURLIB  may  also  be  used  for  the
                 library name.

   OBJTYPE       The object type to  be checked.  The default  is *ALL.
                 For  a list  of the  supported  object types,  use the
                 prompter.

   OPTION        The  option  to  be  used.    The  default  is  *CHECK
                 meaning  that no  authorizations  are  changed  and  a
                 listing is output.

                 *REVOKE  may  be  specified  to revoke  the  duplicate
                 authorizations.    Only  the  duplicate authorizations
                 to  the  object  are  revoked.    If  the  object   is
                 controlled by  an authorization  list and  there is  a
                 duplicate  between  the  object's  authorizations  and
                 the  authorization  list's  authorizations,  only  the
                 object's  duplicate authorizations  are  revoked  (the
                 authorizations  to the  authorization  list  are never
                 changed).

                 Duplicates  within the  authorization list  itself are
                 not   checked   if  an   object   controlled   by   an
                 authorization list  is specified.   You can  check and
                 revoke  duplicate  authorizations to  an  *AUTL object
                 by specifying the object type of *AUTL.

   PRTPUBLIC     An  option  for  whether  the  *PUBLIC  user  of  each
                 object will  always be  listed.   The default is  *ALL
                 to  list the  *PUBLIC user.    This provides  at least
                 one line per object.

                 *DUP may be  specified to  list the  *PUBLIC user  for
                 only those objects which have duplicates.

   PRTDETAIL     An  option for  whether to  print  the duplicate  user
                 authorizations  (not  the *PUBLIC).    The default  is
                 *DUP  to only print  a line for  an authorized user if
                 duplicate authorities exist.

                 *ALL may  be  specified to  print  all users  who  are
                 authorized.

Restrictions
------------

  **   You must  have *ALLOBJ special  authority to use RVKDUPAUT.   It
       cannot be adopted or come from a group profile.

  **   You  cannot  be a  member  of a  group.   Your  profile  must be
       GRPPRF(*NONE).

  **   Processing will fail  if it lock  types such as  *EXCL exist  on
       the  objects being  processed.   The  internal  use of  commands
       such  as  DSPOBJAUT and  RVKOBJAUT  must be  allowed  to operate
       successfully.

Prerequisites
-------------

The following TAA Tools must be on your system:

     EDTVAR          Edit variable
     RSNLSTMSG       Resend last message
     RTVOBJD2        Retrieve object description 2
     RTVSPCAUT       Retrieve special authority
     RTVSYSVAL3      Retrieve system value 3
     SNDCOMPMSG      Send completion message
     SNDESCINF       Send escape information
     SNDESCMSG       Send escape message
     SNDSTSCNT       Send status count
     SNDSTSMSG       Send status message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   RVKDUPAUT     *CMD                   TAASEGI       QATTCMD
   TAASEGIC      *PGM       CLP         TAASEGIC      QATTCL
   TAASEGIC2     *PGM       CLP         TAASEGIC2     QATTCL
   TAASEGIC3     *PGM       CLP         TAASEGIC3     QATTCL
   TAASEGIR      *PGM       RPG         TAASEGIR      QATTRPG
   TAASEGIR2     *PGM       RPG         TAASEGIR2     QATTRPG
   TAASEGIP      *FILE      PF          TAASEGIP      QATTDDS
   TAASEGIS      *FILE      PF          TAASEGIS      QATTDDS

The TAASEGIP and  TAASEGIS files  are keyed versions  of the  DSPOBJAUT
outfile (model file is  QAOBJAUT).  The same format  (QSYDSAUT) is used
for  both.     TAASEGIP  holds  the  authorizations   for  all  objects
specified.    TAASEGIS holds  the  authorizations for  an authorization
list for any object specified.


Structure
---------

RVKDUPAUT   Cmd
   TAASEGIC   CL pgm
     TAASEGIC3  CL Pgm  - does RVKOBJAUT
     TAASEGIR   RPG Pgm
       TAASEGIR2   RPG Pgm - Checks for groups, *AUTL etc
          TAASEGIC2   CL - does RTVUSRPRF and DSPOBJAUT of *AUTL
					

Added to TAA Productivity tools September 1, 2004


Home Page Up to Top