iSeries Navigator: Application Administration
February 25, 2004 Shannon O'Donnell
One of the coolest things about OS/400 is its integrated security. If you are not the owner of an object, and that object does not have public access, and no one has granted you specific access to that object, guess what? There is absolutely no way you can get into it. Period. Show me any other operating system in the world that you can say that about.
The iSeries Navigator’s Application Administration tool allows OS/400 users who have sufficient authority in their user profile (*ALLOBJ, *IOSYSCFG), and have this piece of software installed on their PC, to control access to a wide variety of features, objects, and services that are available on both the iSeries and the client PCs.
This article explores the Application Administration utility and explains how to use it in order to gain positive control of your iSeries system.
APPLICATION ADMINISTRATION: WHAT IS IT?
What is application administration, and why should you care? Application Administration, an optional component of iSeries Navigator, is a set of functions that are built into iSeries Navigator and accessed via a GUI. They allow those with sufficient authority in their user profile to control access to services and software on both the client PC and the iSeries, the only caveat being that such services and software must have been registered as “administrable functions.” Administrable functions are functions to which you can grant or deny access, using Application Administration.
Registration takes the form of “local” and “central” settings, and you are automatically prompted to register any new software installed since the last time you used Application Administration.
Local settings refers to applications installed with iSeries Access for Windows (formerly known as Client Access for Windows) on the client PC. Applications that can be registered as local include the following:
- iSeries Navigator and any plug-ins.
- Client applications, including any functions, such as Remote Command server or iSeries Access for Web, which are installed as part of iSeries Access for Windows.
- Host Applications that reside entirely on your server but can be controlled via Application Administration. An example is Digital Certificate Manager, for managing Secure Socket Layer (SSL) certificates.
Central settings applies to both iSeries Access for Windows and Advanced Settings for iSeries Access for Windows. Settings you can administer under iSeries Access for Windows include all iSeries Access for Windows administrable functions. Advanced settings for iSeries Access for Windows allows you to control settings for such things as password, connection, service, environment, and language.
APPLICATION ADMINISTRATION: WHERE IS IT?
Before you can start using Application Administration, you have to be able to find it. Application Administration, like so many features in iSeries Navigator, is well hidden. For some iSeries Navigator features, this is understandable and even forgivable, but for IBM to bury Application Administration on a context menu is inexplicable and down right baffling. However, you will now learn the secrets and benefits of Application Administration.
To start Application Administration, open iSeries Navigator and right-click the system ID you wish to administer.
When you first install iSeries Access for Windows and iSeries Navigator components, all services receive default access and “All Object Access” property boxes will be checked.
DEFAULT AND ALL OBJECT ACCCESS
Default access means that any user or group who has this component of iSeries Navigator installed on the client PC will have access to that service. If, for instance, a user has the “basic operations” component installed, that user will be able to use any of its features, such as displaying spool files, working with printers, and working with jobs.
All object access means that, even if the user or group has *ALLOBJ (All Object) authority in his user profile, deselecting this property box for the selected service causes that user or group profile to be unable to use this function. The “All Object Access” property box here overrides the *ALLOBJ authority for users attempting to use that service from iSeries Navigator. For example, deselecting the “Printer Output,” “All Object Access” box will make users with *ALLOBJ authority unable to work with printer output from Operations Navigator.
There are the three tabs across the top of the Application Administration GUI panel. They are the “iSeries Navigator,” “Client Applications,” and “Host Applications” tabs. Each tab, when clicked, displays services and functions appropriate to that tab. When, for instance, the iSeries Navigator tab is clicked, which is the default view, you will see a list of all iSeries Navigator components, displayed in the same order they appear in the iSeries Navigator tree.
From this view, you can choose to deny or grant, at the system level, access to these iSeries Navigator components. To deny access, simply uncheck the box next to the component you do not wish any user to have access to from iSeries Navigator. To allow access to those components, ensure that the “Default Access” property box is checked. To provide this same level of control for users with *ALLOBJ authority in their user or group profile, select or deselect the “All Object Access” property box.
Keep in mind that any changes you make here apply to everyone, because these changes apply to the system level. To override properties for individual users or group profiles, you will need to provide “customized access.”
There are two ways to provide customized access. The first, and probably the easiest, is to right-click the component you wish to customize and select the “Customize” item from the resulting context menu. The other option is to drill down through the iSeries Navigator tree, to view individual user and group profiles, and right-click a user or group profile, and view its properties panel. From there, you will find a customization button that you can click in order to display a panel.
Right-click the iSeries Navigator component and select the “Customize” menu item, from the Application Administration panel, and you will see the panel.
The particular function (or component) that you wish to customize is listed for your convenience at the top of this panel. In addition, you control whether the setting you make here applies to default access, all object access, or both, by checking or unchecking the box above the list of users and groups. By clicking the plus (+) sign next to each tree item, you can display user profiles, group profiles, and users not in a group. And, finally, to add a user to the “Access Allowed” or the “Access Denied” list box, at the right side of this panel, simply click that user or group profile in the list box on the left, then click the appropriate “Add” button. To remove this level of access, select the item in the list box you wish to remove and click the “Remove” button.
Client applications are functions that run from the client to the server. These include 5250 display and printer emulation, data transfer, ODBC support, OLE DB Provider, and remote command line.
Again, check or uncheck the “Default Access” and “All Object Access” boxes to either grant or deny users or groups at the system level the ability to use these services. Be careful. Clicking the wrong property box at the system level could block all users from using a required service such as 5250 emulation. You can also control access to iSeries Navigator functions for individual users in the manner described above.
Host applications are services that run and reside entirely on the iSeries. These include Digital Certificate Manager, Management Central, Operating System 400, QIBM_EJB_Product and TCP/IP utilities for iSeries. You can control many things from here.
Under Digital Certificate Manager, you can control access to the *SYSTEM Certificate Store and the ability to sign applications. The *SYSTEM Certificate Store is the physical repository for the SSL certificate, so controlling access to this is extremely critical. The same holds true for the ability to sign applications.
Under Operating System 400, you can control access to such things as LPAR (logical partitioning) management, the ability to administer directory services, the ability to work with clusters (for high availability systems), and the ability to display disk units in the iSeries Navigator GUI (if you also have a separate Ethernet card installed in your iSeries for the dedicated Service Tools functionality).
Under TCP/IP Utilities, you can control all access to the FTP server and client functions on your iSeries. You can control access to every FTP function and command (such as get, put, cd, ls, quote, site) through the properties button for each of those functions. Again, remember that the access settings you make here affect everyone on your system. If you want to control access to FTP for individual users or groups, you can do so by using the “Customization” panel.
CONTROL IS AT YOUR FINGERTIPS
Application Administration is a very powerful tool you can use to control access to a wide variety of services and functions on both your client PCs and your iSeries system. As with all powerful tools, however, a word of caution is in order. Ensure that you install Application Administration only on those users’ PCs who are in a position of responsibility and accountability and have a true need to use it.