The DSPUSRAUT command has mostly been replaced by the DSPUSRAUT2
command. You should try DSPUSRAUT2 first which uses an API to
determine whether a user is authorized. There are some differences
between the two tools.
The Display User Authority command lets you review authorizations by
combining the individual object authorities, group profiles and
authorization lists. The intent is to duplicate the type of checking
performed by the system so that you can ask the following types of
questions:
Who can update FILEA?
What can USERX do to the objects in LIBY?
What can *PUBLIC do to the objects in LIBZ?
The authorization checking includes:
- Object authorizations
- Authorization list authorizations
- Group profile authorizations
- *ALLOBJ authority checking
- Library authority (it is printed also)
DSPUSRAUT does not consider:
- The use of program adopt - USRPRF(*OWNER)
- Authority holders
- Dynamic switching of group profiles (The system only supports a
single group profile at a time, but it is possible to switch in
the middle of a job - See the TAA tool CHGGRPPRF)
There are three commands provided:
CVTUSRAUT Lets you specify what authority environment you want
to capture. For example, it could be all objects in
one or several libraries. The output from this
command is a data base file (USRAUTP) that is used
by DSPUSRAUT. The data base file also includes one
record for each user profile on the system.
CVTUSRAUT is a long running command and should be
submitted to batch. If you name large libraries,
the command will take even longer.
A typical command would be:
CVTUSRAUT LIB(LIBX LIBY LIBZ) OUTLIB(LIB1)
This would result in all the authorities for all
objects in the 3 named libraries being captured into
the USRAUTP file in library LIB1.
DSPUSRAUT Lets you display the authorities that are in USRAUTP
and provides many different selection criteria. It
would be typical to use DSPUSRAUT several times
before refreshing the USRAUTP file with CVTUSRAUT.
A typical command would be:
DSPUSRAUT USER(JONES) LIB(LIBX) OWNED(*OMIT)
A display would appear with all of the information
about the user JONES for the objects in library
LIBX. Any objects owned by JONES would be excluded.
Any objects that JONES could access because of
public authority would be shown in addition to any
that JONES had direct authority to.
If JONES is a member of a group, his authority would
still be shown if the group was specifically
authorized. If JONES is excluded from an object, it
would also be shown.
If JONES had a specific authority to the object and
the object was also secured by an authorization list
where JONES has explicit authority or is a member of
a group that has authority, only the explicit
authorization to the object would be shown. This
reflects the way the system performs security
checking (The first authorization found determines
authority based on a sequence of checks).
Similarly, if JONES was authorized to *USE and the
public is authorized to *CHANGE, JONES may only
'use' the object and this is what will be shown.
A -- indication appears to the left of the authority
description for the *PUBLIC user if a private
authority is less than the *PUBLIC authority. This
is inefficient from a authority checking performance
viewpoint and should be avoided if you can.
An outfile option may be specified to capture the
information as it appears on the report in a data
base file. This would normally be used with the
CMPUSRAUT command.
CMPUSRAUT Compares the output from two different uses of
DSPUSRAUT to an outfile.
The intent of CMPUSRAUT is to allow you to capture
the security environment at one point and make a
thorough review with DSPUSRAUT. Then using the
DSPUSRAUT OUTFILE option you can capture the
information in a data base file as it appeared on
the DSPUSRAUT printout. At a later point you want
to determine the changes that have occurred. You
need to run CVTUSRAUT and then DSPUSRAUT to an
OUTFILE again. CMPUSRAUT can then be used by
specifying the two different outfiles and a
differences report will be printed.
The report will print one line per object. It will
note new objects, ownership changes, authority list
changes, new grants that have occurred, revokes that
have occurred and changes to previously authorized
users.
Any changes to the authority environment are not
reflected until CVTUSRAUT is run again.
A typical command would be:
CMPUSRAUT FROMUSRAUT(xxx) TOUSRAUT(yyy)
Auditing review
---------------
An auditor may want to periodically review the authorizations using
DSPUSRAUT. A reasonable technique would be to use the multiple
member capability of the USRAUTP file for each environment needed.
For example, assume you have 5 different application areas. Each
area may involve several libraries. You could use CVTUSRAUT 5 times
and name each of the application areas to be stored in a different
member of USRAUTP such as:
CVTUSRAUT LIB(LIBX LIBY LIBZ) OUTLIB(LIB1) OUTMBR(APP1)
The Security Officer would run CVTUSRAUT (*ALLOBJ authority is
needed) and then authorize the auditor to *USE of the USRAUTP file.
The auditor can then use DSPUSRAUT and specify the application area
to be reviewed such as:
DSPUSRAUT USER(JONES) LIB(LIBX) OWNED(*OMIT)
USRAUTPLIB(LIB1) USRAUTPMBR(APP1)
CVTUSRAUT Command parameters *CMD
----------------------------
CVTUSRAUT is a long running command and should be submitted to batch.
It creates the USRAUTP file used by DSPUSRAUT.
LIB The library or libraries to be included. Up to 40
libraries may be named or the special values *LIBL,
*USRLIBL, *CURLIB, *ALL, or *ALLUSR.
OBJ The generic object name to be included. The default
is *ALL. If a generic name is desired, no * should
be entered.
OBJTYPE A list of object types to be included. *ALL is the
default. Most of the system supported object types
may be named except for *LIB and *AUTL. Use the
command prompt for a full list of the supported
types. A list of up to 10 object types may be
specified.
OUTLIB The library for the USRAUTP file. The default is
*LIBL. A library must be specified if the file does
not exist.
OUTMBR The member for the USRAUTP file. The default is
USRAUTP. If the member does not exist, it is added.
If the member exists, it is cleared.
DSPUSRAUT Command parameters *CMD
----------------------------
DSPUSRAUT displays the authorities in the USRAUTP file that were
captured by CVTUSRAUT. Most of the parameters on DSPUSRAUT let you
subset the amount of information in the output. If you take all of
the defaults, all authorities are shown.
USER The user to display authorities for. The default is
*ALL.
PUBLIC Whether to include the *PUBLIC user. The default is
*YES.
AUT The authorization you want to display. The default
is *ANY meaning any authorization is displayed. You
may also specify *USE, *CHANGE, *ALL, or *EXCLUDE.
You may also request the specific Object or Data
rights (See later parameters).
LIB The library to be included. The default is *ALL
which means all libraries found in the USRAUTP file.
OBJ The generic object name to be included. The default
is *ALL. A generic name should be entered without a
trailing *.
OBJTYPE The object type to be included. The default is
*ALL.
OWNED Whether to include owned objects. The default is
*INCLUDE. You may also specify *OMIT or *ONLY.
Specifying OWNED(*OMIT) is usually a good technique
for reducing the amount of information you will need
to review.
USRAUTPLIB The library for the USRAUTP file created by
CVTUSRAUT. The default is *LIBL.
USRAUTPMBR The member of the USRAUTP file to be processed. The
default is *FIRST.
OBJOPR Whether to include only those records that have the
Object Operational right. The default is *NO
meaning the records are always included. If you
specify *YES, no record will be displayed unless the
user has the Object Operational right.
The other Object and Data rights work in a similar
manner.
If you specify any of the Object or Data rights,
AUT(*ANY) must be used.
If you specify multiple rights such as Obj Mgt and
Read, you will see only those records that meet both
criteria.
OBJMGT Whether to include only those records that have the
Object Management right.
OBJEXS Whether to include only those records that have the
Object Existence right.
READ Whether to include only those records that have the
Read Data right.
ADD Whether to include only those records that have the
Add Data right.
UPD Whether to include only those records that have the
Update Data right.
DLT Whether to include only those records that have the
Delete Data right.
OUTPUT The standard OUTPUT parameter for display or
printing. * is the default. *PRINT may be used.
*OUTFILE is also supported.
OUTFILE The name of the outfile to be used. The name of the
model outfile used is TAASECNS in TAATOOL. It uses
a format name of USRAUT. The records which will
exists in the file are a duplicate of what would
appear in the detail portion of the printed output.
The intent of the outfile parameter is to allow for
some unique processing to occur with the information
available.
The outfile will be owned by the user running the
DSPUSRAUT command that creates the file. The file
will be private. You may authorize other users to
the file.
The outfile is not the same as USRAUTP. Although
many of the field names are the same, the records
which exist will differ. USRAUTP is an internal
file and is not designed for application use.
OUTMBR The standard OUTMBR option for outfiles. This is a
list with the default of *FIRST member and *REPLACE.
You may specify a unique member name and also *ADD
for adding records to an existing member.
CMPUSRAUT Command parameters *CMD
----------------------------
CMPUSRAUT compares two different uses of the DSPUSRAUT OUTFILE
option. This allows you to determine the changes that have occurred
during the two uses of DSPUSRAUT.
Normally, you would run DSPUSRAUT without any selection criteria (all
defaults) and specify an OUTFILE.
Any new objects are shown. Any changes in ownership, authority list
or individual authorizations are shown. Any deleted objects are not
shown.
FROMUSRAUT The FROM file to be compared. This should be the
same file you specified on the OUTFILE parameter of
DSPUSRAUT. A qualified name is used. The library
defaults to *LIBL. The FROMFILE would normally be
the oldest file (oldest use of DSPUSRAUT).
TOUSRAUT The TO file to be compared. This should be the same
file you specified on the OUTFILE parameter of
DSPUSRAUT. A qualified name is used. The library
defaults to *LIBL. The TO file would normally be
the newest use of DSPUSRAUT.
FROMMBR The member in the FROMUSRAUT file. *FIRST is the
default.
TOMBR The member in the TOUSRAUT file. *FIRST is the
default.
SELLIB The name of the library be be selected. The default
is *ALL meaning all libraries found in the TO file
will appear in the report.
SELOBJ The generic name of the objects to be selected. The
default is *ALL. The generic name should be entered
without an *.
SELOBJTYPE The object type to be selected. The default is
*ALL.
PRTFILE The printer file to use. QPRINT in *LIBL is the
default.
Restrictions
------------
** The information supplied by DSPUSRAUT is only as current as
the last use of CVTUSRAUT.
** The program adopt function is not included.
** Authority holders are not included.
** Multiple user profiles are not supported.
** Multiple USRAUTP members cannot be combined together using
CPYF. All output from DSPUSRAUT must occur from a member that
was created from a single CVTUSRAUT command.
** The object types *LIB and *AUTL are special cased by DSPUSRAUT
and cannot be specified on CVTUSRAUT. If the QSYS library is
processed, these object types are removed (they are picked up
later with special processing). For any library converted,
the library authority is always shown as well as any
authorization lists used by the objects.
** CMPUSRAUT compares using the TO file as a base. Any new
objects are shown, but any objects that only exist in the FROM
file are not shown.
Prerequisites
-------------
The following TAA Tools must be on your system:
CHKGENERC Check generic
EDTVAR Edit variable
RTVDAT Retrieve date
SCNVARRGT Scan variable right
SNDCOMPMSG Send completion message
SNDESCMSG Send escape message
SNDSTSMSG Send status message
SORTDB Sort data base file
Implementation
--------------
None, the tool is ready to use.
Objects used by the tool
------------------------
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
DSPUSRAUT *CMD TAASECN QATTCMD
CVTUSRAUT *CMD TAASECN2 QATTCMD
CMPUSRAUT *CMD TAASECN4 QATTCMD
TAASECNC *PGM CLP TAASECNC QATTCL
TAASECNC2 *PGM CLP TAASECNC2 QATTCL
TAASECNC3 *PGM CLP TAASECNC3 QATTCL
TAASECNC4 *PGM CLP TAASECNC4 QATTCL
TAASECNR *PGM RPG TAASECNR QATTRPG
TAASECNR2 *PGM RPG TAASECNR2 QATTRPG
TAASECNR3 *PGM RPG TAASECNR3 QATTRPG
TAASECNR4 *PGM RPG TAASECNR4 QATTRPG
TAASECNP *FILE PF TAASECNP QATTDDS
TAASECNS *FILE PF TAASECNS QATTDDS
TAASECNT *FILE PF TAASECNT QATTDDS
TAASECNU *FILE PF TAASECNU QATTDDS
Structure
---------
CVTUSRAUT Cmd
TAASECNC2 CL
TAASECNC3 CL
TAASECNR3 RPG
TAASECNP PF
TAASECNT PF
TAASECNR2 RPG
TAASECNP PF
DSPUSRAUT Cmd
TAASECNC CL
TAASECNR RPG
TAASECNP PF
TAASECNS PF
CMPUSRAUT Cmd
TAASECNC4 CL
TAASECNR4 RPG
TAASECNS PF
TAASECNU PF
|
