Start of change

Using authorization lists to restrict usage by user

Edit online

Starting from IBM® i 7.5, IBM i NetServer supports specifying additional server and share restrictions based on authorization lists. Users can be granted or denied access to the server or individual shares through access that is defined on authorization list objects. Shares with common security requirements can be secured through use of a shared authorization list.

Authorization list restrictions layer with other protection provided by the server and shared file system. Shares that are defined as read only will always be read only regardless of access granted by an authorization list. The most restrictive access rule always determines the level of access.

Note: Authorization lists do not restrict access to users with *ALLOBJ special authority. Any user profile with *ALLOBJ special authority will be able to access IBM i NetServer as if there is no authorization list restriction in place. This can be used to create administrative shares that can only be accessed by IBM i administrative profiles by specifying an authorization list that only lists public *EXCLUDE.
When specifying an authorization list for the server:
  • If a user is given at least *USE authority to the authorization list, that user will be allowed to access the server.
  • If the user has less than *USE authority to the authorization list, the user will be denied access to the server, and a VP (Network Password Error) audit record of Error Type A (Authorization list (AUTL) permission failure) will be created.
When specifying an authorization list for a share:
  • If a user is given *CHANGE or greater authority to the authorization list, that user will be allowed read/write access to the share.
  • If a user is given *USE authority to the authorization list, that user will be allowed read only access the share.
  • If the user has less than *USE authority to the authorization list, the user will be denied access to the share, and a VP (Network Password Error) audit record of Error Type A (Authorization list (AUTL) permission failure) will be created.

End of change