The Restore Authorization List tool is intended for those situations
where objects authorized by authorization lists must be restored to a
second system.
RSTAUTL is the companion tool to SAVAUTL.
When an object that is authorized by an authorization list is
restored to a another system, the system will not (by default) hook
up the object to the authorization list even if it exists. You must
specify ALWOBJDIF(*ALL) on the restore command and the authorization
list must exist on the second system. In addition, none of the users
that were authorized on the original system will be authorized on the
second system (you must add them to the authorization list).
SAVAUTL/RSTAUTL provide an alternative solution.
SAVAUTL is first used to capture the information about the
authorization lists that need to be transferred. A unique library is
used. The library and the objects to be transferred are then
restored to the second system.
The RSTAUTL tool is two commands:
** RSTAUTL ensures that the authorization lists that were saved
by SAVAUTL exist on the second system. It provides an option
for what to do with the users that were authorized to the
list. You can ignore them, change their authorizations to
agree with what existed on the original system or only add new
users.
A spooled file named AUTL is created to describe authorities
that are added or changed.
** GRTAUTL changes the authorization of the objects that were
captured by SAVAUTL so they are authorized by the same
authorization list. An option is provided to determine if the
*PUBLIC should be authorized be authorized to the object by
using the authorization list. The default is *YES.
The same object and library names for the objects to be
authorized must be used on the second system. The same
authorization list name must be used on the second system.
The GRTAUTL command creates a spooled file AUTHORIZED. This
should be reviewed for what occurred. If the object does not
exist on the second system, a special indication occurs in the
listing.
Specific sequence of steps
--------------------------
One of the advantages of SAVAUTL/RSTAUTL is that the major steps do
not have to be followed in the exact order. For example, if you have
already restored your objects on a second system and realize that the
authorization structure is now incorrect (e.g. the authorization
lists did not exist or you forgot to specify ALWOBJDIF), you can
recover by using SAVAUTL/RSTAUTL.
1. Use SAVAUTL and name the authorization lists. Up to 40 lists
may be named. A specific name, a generic name, or all
authorization lists may be specified. A unique library (one
that does not exist) must be named.
SAVAUTL AUTL(xxx) LIB(yyy)
2. Save the library that was created by SAVAUTL.
3. Save the objects you want to transfer.
4. Delete the library you saved with SAVAUTL as it is no longer
needed.
5. Restore both the library that was created by SAVAUTL and the
objects you want to transfer onto the second system. If the
objects have already been restored to the second system, you
do not have repeat this step.
6. Use RSTAUTL to ensure the authorization lists exist. Name the
library that was specified on SAVAUTL: You must determine what
option you want to specify for the AUTLAUTH parameter. The
default is *SAME meaning to make the authorizations the same
as the original system.
RSTAUTL LIB(xxx)
7. Use GRTAUTL to grant the same list of objects that were
authorized to the authorization list on the originating
system. Name the same library that was used on SAVAUTL.
You must decide on how the *PUBLIC should be authorized to the
object. The default is to make the *PUBLIC authorized using
the authorization list.
GRTAUTL LIB(xxx) OBJPUBLIC(*YES)
8. Review the spooled file AUTHORIZED.
9. If you forgot to save/restore one or more objects that were
authorized to one of the authorization lists, they will be
flagged on the listing as 'not found'. You can recover by
doing the following:
-- Save/restore the missing objects.
-- Run GRTAUTL again. It is not necessary to repeat the
other steps as the information already exists on the
second system. No error occurs if you request to
re-grant an object that is already authorized to an
authorization list.
10. Delete the library that was used for SAVAUTL.
RSTAUTL Command parameters *CMD
--------------------------
LIB The library that was saved with SAVAUTL. The
library contains the data file with the
authorization list information.
AUTLAUTH How to process the authorizations that were
specified for authorization lists on the original
system.
If the same user profile name does not exist, the
entry is flagged. If a user is already authorized
on the second system and does not appear on the
saved authorized list, no change will occur.
*SAME is the default and means that the
authorizations are made the same as the original
system. *NONE may be specified to mean no changes
occur. *NEWUSER may be specified to mean only new
users are added to the authorization list and any
existing users are left as is.
See the later example how what the options will
cause.
GRTAUTL Command parameters *CMD
--------------------------
LIB The library that was saved with SAVAUTL. The
library contains a data file with the objects that
were authorized to the authorization lists.
OBJPUBLIC This parameter determines how the *PUBLIC should be
authorized to the object. If the object on the
first system was specified so that the *PUBLIC
obtained its authorization from the authorization
list, the authority will be *EXCLUDE when the object
is restored if the authorization list does not exist
or ALWOBJDIF(*YES) was not specified.
The default for OBJPUBLIC is *YES meaning to change
the authorization to the object so the *PUBLIC
obtains authorization from the authorization list.
*SAME may be specified to leave the *PUBLIC
authorization as it is on the object.
ALWMISSLIB A *YES/*NO parameter for what to do if the library
does not exist on the system to be restored.
*NO is the default. The command will fail with a
message stating the library does not exist.
*YES may be specified to flag objects in a library
that does not exist.
AUTLAUTH Parameter
------------------
Assume you are going to transfer the AUTL1 authorization list which
has the following authorizations:
USERA *ALL
USERB *USE
USERC *EXCLUDE
USERD *USE
*PUBLIC *CHANGE
If AUTL1 does not exist on the second system, and USERD is not a
valid profile, the following would be the result:
AUTLAUTH USERA USERB USERC *PUBLIC
-------- ----- ----- ----- -------
*SAME *ALL *USE *EXCLUDE *CHANGE
*NONE *CHANGE
*NEWUSER *ALL *USE *EXCLUDE *CHANGE
If AUTL1 exists on the second system with:
- USERA *CHANGE
- *PUBLIC *USE
- USERD (not a valid profile)
the following would be the results:
AUTLAUTH USERA USERB USERC *PUBLIC
-------- ----- ----- ----- -------
*SAME *ALL *USE *EXCLUDE *CHANGE
*NONE *CHANGE *USE
*NEWUSER *CHANGE *USE *EXCLUDE *USE
Restrictions
------------
** The same object and library names for the objects to be
authorized must be used on the second system.
** The same authorization list name must be used on the second
system.
Prerequisites
-------------
The following TAA Tools must be on your system:
RSTFIL Restore file
RTVDOCOBJ Retrieve document object
SNDCOMPMSG Send completion message
SNDESCMSG Send escape message
SNDSTSMSG Send status message
The RSTFIL tool is only used for its authorization list in QSYS.
Implementation
--------------
None, the tool is ready to use.
Objects used by the tool
------------------------
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
RSTAUTL *CMD TAASEDA QATTCMD
GRTAUTL *CMD TAASEDA2 QATTCMD
TAASEDAC *PGM CLP TAASEDAC QATTCL
TAASEDAC2 *PGM CLP TAASEDAC2 QATTCL
TAASEDAC9 *PGM CLP TAASEDAC9 QATTCL
TAASEDAR *PGM RPG TAASEDAR QATTRPG
TAASEDAR2 *PGM RPG TAASEDAR2 QATTRPG
Structure
---------
RSTAUTL Cmd
TAASEDAC CL Pgm
TAASEDAC9 CL Pgm
TAASEDAR RPG Pgm
GRTAUTL Cmd
TAASEDAC2 CL Pgm
TAASEDAR2 RPG Pgm
|
