Blog
i can

« Three Years of 'i Can' | Main | Functional Usage Capabilities, Part 2 »

August 20, 2012

Functional Usage Capabilities

Did you know that you can limit access to system functions by registering which users can access which functions? You can allow access or deny access via the functional usage capabilities; depending on the component, you could allow one user to change some settings and allow another user to only view those settings. Many system components support the use of function usage capabilities to provide more granular access to their capabilities. Functional usage does not eliminate or replace the need for securing resources on your system; it simply provides an additional way to control what functions a user can access.

There are:

The User Function Registration Facility API set was first introduced into the system way back in V4R3, so this capability has existed for quite a while. The commands were introduced in V5R3, which improved ease of use since a program no longer had to be written to implement it.

The first use of limiting function access within the operating system was in the V4R5 release when the Trace Connection (TRCCNN) command was introduced. Service commands required *SERVICE special authority; but *SERVICE special authority is quite powerful, and it's very likely that you'll want to allow someone to collect a dump or a trace, but not want them to have *SERVICE special authority. Today, most all of the service commands (trace, dump, watch) are supported with customized access via functional usage.

Since the introduction of TRCCNN, more system components have added support for granular access via functional usage. You can see the full list of functions supported with the DSPFCNUSG or WRKFCNUSG commands by taking the default of *ALL. The GUI also provides a list of all functions that are available.

The GUI for this capability can be found under Application Administration; it is the Host Applications category that provides this support.

  • Default Access allows all users to access the function by default 
  • All Object Access allows all users with all object system privilege to access the function
  • Customize allows you to add or remove users or groups in the Access Allowed and Access Denied lists.

The following screen capture shows the kind of information you can see with the Display Function Usage command. In my example, you can see that I have allowed user DAWNMAY to access trace functions, even though DAWNMAY may not have *SERVICE special authority. User DAWN is not allowed to access trace functions.

08202012 DawnMay3

 

Posted at 12:34 PM in IBM i, IBM Systems Director, Security, System i Navigator |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83545a5d153ef0177443dd74f970d

Listed below are links to weblogs that reference Functional Usage Capabilities :

Comments

Where can I find detailed documentation that describes exactly what each of these FUNCTION IDs controls?
Does one of the available function IDs allow me to control interactive SQL usage. I have some users (new programmers, support people,etc. where I want to prohibit the DELETE, UPDATE, CREATE operations but allow a SELECT operation.

Posted by: Jeff Geldermann | August 22, 2012 at 01:36 PM

The options in WRKFCNUSG are also available in iNav. Right click on the system name and select Application Administration.

Alas, there are no capabilities to restrict types of SQL selections. However, if you don't allow your users to use STRSQL, but instead restrict them to STRQM you can
10. Work with Query Manager profiles
2=Change
Page down to bottom.
Select allowed SQL statements
There you have the control requested.
Caution: If your users get into STRSQL, or iNav's "Run SQL Scripts" or any number of tools outside of STRQM these restrictions do not apply.

Posted by: Rob Berendt | August 22, 2012 at 03:24 PM

It's taken me a LONG time, but there's now an article on developerWorks about IBM i function usage capabilities along with a reference PDF that documents all the function usage IDs.

The article is "Granular security control with function usage" and can be found here -
https://www.ibm.com/developerworks/ibmi/library/i-granular-security/

Dawn

Posted by: Dawn | November 12, 2013 at 08:26 AM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.