Ah, thanks - this gives the full explanation - #2 is not done when the user has no
*ALLOBJ on his own. #3 will be the thing that is found, when a private *EXCLUDE is
set on the object for that user. The group's *ALLOBJ is never checked.
Here is the way I understand this ....
#2 checks for *ALLOBJ special authority, if you don't have it, then checking continues on to step #3... If the object is set to *EXCLUDE for this user, then authority checking stops...and access is denied.
But if you give a user *ALLOBJ authority via a GROUP profile this allows you to modify a user's access to individual objects via private authority or authority list settings, before access is allowed via *ALLOBJ.
Reply or Forwarded mail from: Kenneth E Graap