Introduction:
On IBM i, object authorities play a critical role in controlling access to applications and system resources. Administrators frequently need to answer questions like:
- Who has access to this IBMi object?
- How do authorities differ between environments?
- Are current authorities aligned with expected standards?
While commands like DSPOBJAUT provide detailed authority information, they are typically used one object at a time, making large-scale analysis time-consuming and impractical.
The Challenge:
In real-world environments, several factors make authority analysis difficult:
- A large number of objects within a library
- Evolving authority structures over time
- Need for comparison across systems (e.g., DEV vs PROD)
Although tools exist to display authority information, they are not designed for Bulk extraction and Consolidated reporting
Rethinking DSPOBJAUT
The DSPOBJAUT command is traditionally used interactively to inspect a single object. However, its real power emerges when used in an automated and aggregated way.
By combining:
DSPOBJAUT OUTPUT(*OUTFILE)- SQL services (
QSYS2.OBJECT_STATISTICS)
- Command execution via
QSYS2.QCMDEXC
We can transform a manual inspection tool into a library-wide authority extraction mechanism.
Solution Overview
The approach consists of three key steps:
1. Iterate Through All Objects in a Library: Use QSYS2.OBJECT_STATISTICS to retrieve all objects within a target library.
2. Execute DSPOBJAUT Programmatically: For each object, run DSPOBJAUT and direct the output to a database file.
3. Consolidate Results into a Single Dataset: Append results for all objects into one outfile for analysis.
Automation Using SQL:
The following SQL block demonstrates how to automate this process. Consider an application library (for example, QMQM in IBM MQ environments)
BEGIN
DECLARE cmd_string VARCHAR(512);
DECLARE first_obj_found INT DEFAULT 0;
-- Delete existing file (ignore error if it does not exist)
BEGIN
DECLARE CONTINUE HANDLER FOR SQLEXCEPTION BEGIN END;
CALL QSYS2.QCMDEXC('DLTF FILE(QGPL/MQAUTH)');
END;
-- Loop through all objects in the target library
FOR mqo AS
SELECT OBJNAME, OBJTYPE
FROM TABLE(QSYS2.OBJECT_STATISTICS('QMQM', '*ALL')) AS X
DO
IF first_obj_found = 0 THEN
SET cmd_string = 'DSPOBJAUT OBJ(QMQM/' || mqo.OBJNAME || ') OBJTYPE(' || mqo.OBJTYPE || ') OUTPUT(*OUTFILE) OUTFILE(QGPL/MQAUTH) OUTMBR(*FIRST *REPLACE)';
SET first_obj_found = 1;
ELSE
SET cmd_string = 'DSPOBJAUT OBJ(QMQM/' || mqo.OBJNAME || ') OBJTYPE(' || mqo.OBJTYPE || ') OUTPUT(*OUTFILE) OUTFILE(QGPL/MQAUTH) OUTMBR(*FIRST *ADD)';
END IF;
CALL QSYS2.QCMDEXC(cmd_string);
END FOR;
END;
-- Execute the final select stament
SELECT * FROM QGPL.MQAUTH;
IBM Access Client Solutions (ACS)
To run the script and to export the results, you can use IBM Access Client Solutions.
Key Steps:
- Open Actions -> Run SQL Scripts in ACS
- Execute the automation block
- Query the output file (
QGPL/MQAUTH)
- Review results in the grid
- Export the data for the analysis
Practical Benefits
This approach provides several advantages:
- ✅ Eliminates manual object-by-object inspection
- ✅ Produces a complete authority dataset
- ✅ Enables repeatable and consistent analysis
- ✅ Supports audit, compliance, and troubleshooting use cases
IBM i also provides the QSYS2.OBJECT_PRIVILEGES view, which offers a convenient SQL-based way to query object authorities. While this is useful for many scenarios, this approach is used DSPOBJAUT to ensure that the extracted data closely reflects the full authority detail provided by the system command, including both object and data authorities. By automatingDSPOBJAUT, we retain this level of detail while still enabling large-scale analysis.
