You are currently on IBM Systems Media’s archival website. Click here to view our new website.


Bookmark and Share
RSS

Recent Posts

New Function Usage IDs

January 15, 2013

Some time ago, I wrote the blog on Functional Usage Capabilities. Since that blog was written, I have learned about two additional function usage IDs that were introduced on the 6.1 and 7.1 releases via PTFs

The two function usage IDs are: 

  • QIBM_DB_ZDA - TOOLBOX APPLICATION SERVER ACCESS
    This function usage ID allows the ability to restrict access to the optimized server that handles DB2 requests from clients. Server access is used by the ODBC, OLE DB and .NET providers that ship with IBM i Access for Windows as well as JDBC Toolbox, Run SQL Scripts, and other parts of System i Navigator and Navigator for i Web console. It provides an easy alternative (rather than writing an exit program) to control access to these functions  from the server side.

    The following PTFs provide this enhancement:
  • QIBM_DB_DDMDRDA - DDM & DRDA APPLICATION SERVER ACCESS
    This function usage ID allows the ability to restrict access to the DDM and DRDA application server. It provides an easy alternative (rather than writing an exit program) to control access to DDM and DRDA from the server side.

    The following PTFs provide this enhancement:

The above PTFs may all be applied immediately; however, the appropriate server jobs need to be ended prior to the installation of the PTFs then started after the PTFs have been installed. See the PTF cover letters for detailed instructions and documentation on the function.

With the PTFs installed, these function usage IDs will be available on the WRKFCNUSG and CHGFCNUSG commands. The default values are to allow access, so installing the PTF will not change existing behavior. In addition, System i Navigator and Navigator for i will also display these function usage capabilities; they are found within the Host Applications, under the IBM i > Database grouping. The following screen capture shows an example:

DawnMayFU3
 

The following screen capture shows an example of the QIBM_DB_ZDA function usage with customization; I have denied user DAWN from having access to the ToolBox Application server; this means user DAWN cannot run functions that require the QZDASOINIT job.

DawnMayFU1
 

If you restrict a user with the IBM_DB_QZDA function usage ID as my example above shows, that user will not be able to use any functions from the GUI that require that requires the QZDASOINIT server job. On the client side, you may see the following error:

DawnMayFU2
 

This may be a little difficult to debug. Security auditing can be used to track authorization failures and information regarding the usage failure of the function is logged in the audit journal.

While my example for this blog is trivial and probably not something you would implement, it does demonstrate how easy it is to set this up. If you have the need to restrict or control access to ODBC/JDBC functions or the DDM/DRDA server, you now have an easy way to do this.

There is a very nice article, Add QIBM_DB_ZDA and QIBM_DB_DDMDRDA function usage IDs, on developerWorks. This article covers all the information I’ve highlighted in this blog and it has additional information on how to use the audit journal to see if the function usage check fails.

 

 

 

Posted January 15, 2013| Permalink

-->