Special considerations

Special considerations for authority collection.

1. The authority collection support does NOT collect data that is related to interfaces that check special authority. Authority collection data that is related to *ALLOBJ special authority is collected as it affects object level security. Other special authority checks, authorities such as *JOBCTL or *SAVSYS, do not generate authority collection entries. Special authority settings for a specific user profile are easy to check by using the existing security interfaces such as the Display User Profile (DSPUSRPRF) command and related APIs or by querying the QSYS2.USER_INFO view.
2. Function usage settings (also called application administration) are not collected for the same reason as special authority settings. Function usage settings for a specific user profile are easy to check and are managed by using the Work with Function Usage (WRKFCNUSG) command or by querying the QSYS2.FUNCTION_USAGE view.
3. The system automatically excludes certain system libraries and their objects, such as QRCL, QSPL, QTEMP, QPTFOBJ1, or QPTFOBJ2 (and the corresponding IASP version of the system libraries), from the authority collection data. Also excluded are authority checks against objects that are not in a library, folder, or directory.
4. The system automatically excludes system programs and service programs from the authority collection data. Programs or service programs that are *SYSTEM domain or have a program state of *SYSTEM or *INHERIT are excluded from the authority collection. These attributes can be displayed by using the Display Program (DSPPGM) and Display Service Program (DSPSRVPGM) commands.
5. The system automatically excludes authority collection data when the IBM i operating system accesses an object and authority is available because of program adopted authority from the operating system. The operating system uses program adopted authority to manage and secure objects and control blocks that it uses. In addition, the operating system uses program adopted authority for situations where it requires access to an object for a specific reason and the current user of the job is not authorized.
6. The system automatically excludes authority collection data for document library objects and file system objects that have been deleted.
7. The open file (*FILE objects) support for authority collection is for full opens only (no shared or pseudo open is logged). The initial authority collection occurs at file open but the data is not written to the authority collection repository until a hard close on the file is done. Writing the authority collection data to the repository for the file open/close case must be done at close time to accurately log the authority that is required (the open might be done for read/add/update/delete but the application might only read the data) for the application.
8. Authority collection of column permissions for a DB2® table is not supported.
9. If the STRAUTCOL command is used to start the authority collection for a user profile and the partition is IPLed, the authority collection continues when a job (post IPL) running under the specified user profile starts.
10. IBM i supports a capability that is called profile swap. A profile swap can occur within an active job to swap the current user of a thread from one user to another. When this profile swap occurs, the authority collection of the previous user, for this thread, is no longer active because the current user changed. If the newly swapped user has authority collection active, any authority checks made are now logged under this user’s authority collection repository.
11. If a user profile with an active authority collection is deleted, the authority collection is automatically ended before the user profile is deleted.
12. To collect authority information for object types that are only allowed in QSYS (for example, *LIB), specify parameter LIBINF(*ALL) on the STRAUTCOL command. When authority collection includes object type *LIB, library objects that start with QSYS* are automatically excluded from the authority collection data.
13. When authority collection is started for a user that has an existing authority collection data repository, new authority data is added to the existing information unless parameter DLTCOL(*YES) is specified. New authority collection data can only be added to the existing information if the value specified on the DETAIL parameter matches the value that was specified on the DETAIL parameter when the existing authority information was collected.