APIs by Example
Do you sometimes wonder why a particular user can delete a certain object, or why a user can’t access an object that everybody else can? If you do, a security-related API named Retrieve User Authority to Object (QSYRUSRA) is designed to help answer these types of questions. In addition to retrieving a user profile’s authority to a specific object, the QSYRUSRA API also returns information about the source of this authority. QSYRUSRA supports QSYS.LIB objects as well as objects in all other file systems.
The possible sources of authority include private authority, group authority, public authority, object authorization list, and any of the aforementioned authority sources obtained through adopted authority. The API, however, takes only adopted authority into consideration if authority is retrieved for the user profile special value *CURRENT. Further, when applicable, the QSYRUSRA API provides authority information for all of a user profile’s group profiles. In other words, if you ever have a question about users’ authority to a specific object, QSYRUSRA can likely give you the answer.
To take advantage of the comprehensive and detailed object authority information that the QSYRUSRA API provides, I’ve written a CL command called Analyze Object Authorities (ANZOBJAUT). Additionally, I’ve made all this information readily available in both display and print format. The ANZOBJAUT command employs the QSYRUSRA API to access QSYS.LIB object authority information for a selected range of user profiles. The command also provides a couple of parameters that let you further narrow the presented list based on the actual source of authority and the level of authority granted (more about the ANZOBJAUT command shortly).