1.  Home
  2. MIDRANGE-L
  3. May 2020

Authorization lists and authorities

So I'm continuing down my Journey of Enlightenment with authorization.  I'm comfortable with using authorization lists, and it's really nice to set the CRTAUT parameter on a library to a default authorization list.  But I'm running into a situation that I can't quite bring to an intuitive resolution.

I have an AUTL in the CRTAUT parameter of the library.  My AUTL has three entries: *PUBLIC *EXCLUDE, the owner of the AUTL has *ALL authority, and a second profile has *USE authority.  The basic idea is to have one full access user (the owner) and one read-only access user.  Individual user profiles that need access to the objects use one of those two as their group profile, and nobody else has access.  Simple enough.  I created a program to reset all the objects in a library and I thought the simplest would be to revoke all individual authorities and limit all access to the authorization list.  Done that way, authorities look like this:

  Object secured by authorization list  . . . . . . . . . . . .   MVXDATA

Object
User        Group Authority
*PUBLIC *EXCLUDE

This works as desired.  Only the profiles in the authorization list have access.  I'd love this to be the default, and to be honest it's kind of what I expected would be assigned to a new object in the library.  But when I create a new object, it gets this authority:

  Object secured by authorization list  . . . . . . . . . . . .   MVXDATA

Object
User        Group Authority
*PUBLIC *AUTL
*GROUP      MOVEX *ALL

I sort of understand the *PUBLIC *AUTL rather than *PUBLIC *EXCLUDE.  That allows me to actually open the objects up to public use through the authorization list should I choose to do so.  But what bothers me is the entry for MOVEX.  MOVEX is the owner of the authorization list.  MOVEX has *ALL authority in my authorization list.  Do I also need it in each object?  I guess I'm wondering what would be the downside of removing the private authority for user MOVEX and instead relying solely on the authorization list?  Sure, if I change the authorization list I can theoretically remove access for even the file's owner, but that's on me (and is easy to fix).

I just think it's cleaner to remove all private authority, even for the owner.  But maybe I'm missing something?




This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.