Using authorization lists offers many advantages for those people charged with maintaining system and data security.
A well-structured authorization scheme that includes both user groups and authorization lists by application or library type allows for better control over the whole system, thus preventing unpleasant surprises and reducing the unauthorized-access risk. After the theory of Part I and the practical example of Part II, here's a brief list of advantages of using authorization lists:
- User authority is defined for the authorization list, not for the individual objects on the list. This means that if a new object is secured by the authorization list, the users on the list automatically gain authority to the object, even if the object is being used by another process.
- One operation can be used to give a user authority to all the objects on the list, thus simplifying the security officer's work.
- Authorization lists reduce the number of private authorities on the system. Each user has a private authority to one object (the authorization list), which in turn grants the user authority to all the objects secured by the list. Reducing the number of private authorities in the system also has advantages: it reduces the size of user profiles and improves the performance when saving the system (SAVSYS) or saving the security data (SAVSECDTA).
- Authorization lists are probably the best way to secure files. If you use private authorities, each user will have a private authority for each file member. Imagine that one of your files has 100 members; you'll have 100 private authorities for each user listed in that file's private authority! If you use an authorization list, each user will have only one authority. Also, files that are open cannot have authority granted to the file or revoked from the file. If you secure the file with an authorization list, you can change the authorities even when a file is open.
- Authorization lists provide a way to keep authorities when an object is saved. When an object is saved that is secured by an authorization list, the name of the authorization list is saved with the object. If the object is deleted and restored to the same system, it is automatically linked to the authorization list again. If the object is restored on a different system, the authorization list is not linked, unless ALWOBJDIF(*ALL) or ALWOBJDIF(*AUTL) is specified on the restore command.
In conclusion, authorization lists are extremely useful and easy to manage (if well-planned and well-implemented). And they're an all-time favorite with auditors!