Restoring authority on a system in a nonrestricted state

The Restore Authority (RSTAUT) command uses prestarted jobs in order to process more than one user's authorities at a time. The prestarted jobs that are used by RSTAUT use subsystem description QSYSWRK in library QSYS, program QSRRATBL in library QSYS, and class QINTER in library QGPL.

There are several advantages to running the RSTAUT command on a system in a nonrestricted state. These advantages are as follows:

  • Because more than one user's authority reference tables are being processed at a time, the RSTAUT command on a system in a nonrestricted state is up to 30% faster in most cases than the same command on a system in a restricted state. Generally, the more user profiles for which RSTAUT is being run, the greater the performance gain for the RSTAUT command overall.
  • Subsystems do not have to be terminated when one or more user profiles are restored without a full system recovery.
  • Authority reference tables are not always deleted after RSTAUT is run for a user profile. If all private authorities are successfully granted or an abnormal error occurs then the authority reference table is deleted. Authority reference tables are also deleted if you create a data area named QSRCLRAUTS and it exists in the library list. However, if some of the private authorities are not granted for any reason such as 'object not found' or 'object in use', then the entries for those private authorities that were not granted are kept in the authority reference table, and the RSTAUT command can be run again for the user profile to try granting the failed private authorities before the next restore of the user profile.

There are also some limitations to running the RSTAUT command on a system in a nonrestricted state. These limitations are as follows:

  • Because the system is not in a restricted state, all objects must be locked by RSTAUT. This means that several objects might be in use during the processing of any authority reference table. If the RSTAUT command is unable to lock an object, a diagnostic message of CPF3736 or CPD3776 is sent to the job log of the prestarted job for each object that could not have authority granted. This is most likely to occur when the object is a user profile or a message queue. Because private authorities that are not granted are kept in the authority reference table, the RSTAUT command might be run again to grant authorities to objects that were in use.

    You might also receive CPD3776 if you use a product that has objects or directories with the Allow save attribute set to No. If this scenario is true, then the CPD3776 messages can be ignored.

  • If you are running RSTAUT for a large group of user profiles that have private authorities to the same few objects, you must put the system in a restricted state before running the RSTAUT command. This action minimizes the number of objects in use and consequently minimize the number of objects that are found locked by the RSTAUT command.
  • Only one RSTAUT command can be run on a system at a time.