Hello Ken, The user you are making reference too may belong to a Group Profile that owns this object. In this case they can do anything they want including deleting it. You may want to verify what profile owns the object, and what group profile your user is associated with. It is very common that an application has all of its objects owned by a profile. Then when a user is created, they are assigned to the same group to insure the correct authority. I hope this helps you, or gives you something to look at. Keith

The *USE authority on the library only applies to the library object, its existence, ability to change the description etc, NOT the contents of the library. When you give *ALL authority to an object it means *ALL. I believe that the only exception to this is if the User had *EXCLUDE to the library. In this case I don't believe that they would even be able to "see" the objects in the library, even if they have *ALL to those objects.

<blockquote><tt>If a user has *USE authority to a library and *ALL authority to an >object within that library why are they allowed to delete that >object? </tt></blockquote> <blockquote><tt>USE on the library means Object Operational, Data Read and Data >Execute. Execute is defined as ‘Execute authority provides authority >to run a program or search a library or directory.’ </tt></blockquote> <blockquote><tt>Should the object deletion not update the Library index? If it does >shouldn’t the user require UPD rights to the Library? If he does >shouldn’t the object deletion be refused? </tt></blockquote> Yes, one would think so. And your logic holds true in one more respect - a user must have data *ADD rights to a library in order to place a new obejct in that library. This is (as I understand it) because when a new object is added to a library, the library index receives a new entry in it - a classic case of data *ADD. For reasons that I've never understood, the standard is not consistant for deletes of objects in a library. As you've already noticed, if a user has *USE authority to the library and *ALL (or really *OBJEXST) authority to any object in that library, they can delete the object. It's just an anomoly of OS/400 security, and I've never had it adequately explained to me. jte

Indeed an anomoly! If any IBM'ers are reading this I'd like to bait them by saying it's a bug. Albeit a very long standing one! Or I'd settle for a full explanation to what John & myself have pointed out here. If you remove data execute from the library leaving just Object Opr and Data Read then you can no longer do opt 12 Work With Objects from WRKLIB. This would be consistent with the explanation of Data Execute allowing you to search the contents of a library. You can still see the contents of the library by DSPLIB although curiously DSPOBJD LIB/*ALL *ALL is refused with CPF2182. I can't see the reason for that discrepency either.

Just a curiosity question this. If a user has *USE authority to a library and *ALL authority to an object within that library why are they allowed to delete that object? USE on the library means Object Operational, Data Read and Data Execute. Execute is defined as ‘Execute authority provides authority to run a program or search a library or directory.’ Should the object deletion not update the Library index? If it does shouldn’t the user require UPD rights to the Library? If he does shouldn’t the object deletion be refused? This isn’t a problem - like I say I’m just curious. Ken