Admin Alert: Fine Tuning User Access with Application Administration
July 8, 2009 Joe Hertvik
Being a robust system developed over several decades, i5/OS has several valuable features that you may not be aware of. For example, the Application Administration function allows you to provide and deny access to many sensitive system functions. This week, I’ll look at Application Administration and demonstrate how it can help you obtain better control over what your users can and cannot do on the system.
What is Application Administration?
Application Administration is an optional plug-in for iSeries Navigator (OpsNav). It allows you to view and customize the following client- and server-based applications and functions associated with i5/OS processing:
Once you understand what Application Administration does, you can use it to solve a number of simple but valuable access issues within your shop.
Discovering Application Administration
In i5/OS V5R4 and below, you can access Application Administration from within iSeries Navigator by right-clicking on the system you want to set controls for and selecting Application Administration from the pop-up menu that appears. This will bring up the following Application Administration panel.
This panel has three tabs for setting control settings for the iSeries Navigator, iSeries Access for Windows, and Client Access functions and applications described above. You can configure the following access settings for any function listed under each of the Application Administration tabs.
Now that I’ve explained the basics of how Application Administration works, let’s look at a quick example to demonstrate how it can be used in everyday system administration.
Opening Up Job Logs
In my shop, a job that was running under an *ALLOBJ user profile was malfunctioning. One of our programmers was assigned to debug the issue but i5/OS wouldn’t let her view the job log of any user possessing *ALLOBJ authority. Aside from giving her *ALLOBJ authority or providing her with access to the *ALLOBJ user profile (which would also give her *ALLOBJ authority), we were looking for a solution to enable her to view the job logs for all user profiles.
To solve the problem, we went into Application Administration and opened the Host Applications tab. We then opened the i5/OS→All Object→ path under Host Applications and found an entry called Access job log of *ALLOBJ job. We clicked on the Customize button on the screen and OpsNav showed us the following Customize Access screen.
This screen controls what access rights users have to look at the job logs of any user that has *ALLOBJ authority. In this case, the Default Access radio button was turned off, which meant that in our system, users without *ALLOBJ authority would not be able to view the job logs of users with *ALLOBJ authority.
To remedy this, we noted that the programmer belonged to a group user profile called PGMRS. We also determined that there was a need for any of the programming staff to be able to look at anyone’s job log in order to debug system issues. So we decided to give the PGMRS group access to view *ALLOBJ user job logs. We did this by opening the Groups node in the Users and groups area of the Customize Access screen. We then added the PGMRS group to the Access Allowed area for this function by clicking on the Add button. The screen looked like this.
We clicked on OK and the system started allowing any user in the PGMRS group to access job logs for jobs running under an *ALLOBJ user profile. Making this one simple change allowed us to open up job log viewing authority without providing our programmers with *ALLOBJ authority.
Other Valuable Application Administration Functions
I hope this shows you how easy it is to use Application Administration to provide functional access without granting excessive user authority to your profiles. In addition to using it to provide access to job logs for debugging purposes, you may also want to check these common problem areas where you may need to grant or deny access to critical i5/OS functions.
Under the iSeries Navigator tab of Application Administration:
Under the iSeries Access for Windows tab of Applications Administration:
Under the Host Applications tab of Application Administration:
Using Host Application Administration on the Green Screen
Besides customizing client- and server-based functions and applications in OpsNav, you can also access and change server-based access lists on the green-screen. To change, display, and work with Application Administration settings inside a PC5250 session, use the following i5/OS green-screen commands.
Display Function Usage (DSPFCNUSG)–Shows a list of the function identifiers that are available on your partition. It can also be used to show detailed information about each identifier.
Work with Function Usage (WRKFCNUSG)–Allows you to display and change access lists associated with a function identifier.
Change Function Usage (CHGFCNUSG)–A green-screen command for changing access for registered functions, similar to how you change function access through OpsNav’s Customize Access screen. Note that to use this command, you have to know the Function ID of the function that you want to control access for. A complete list of function ID names can be retrieved by using the DSPFCNUSG command.
About Our Testing Environment
This article was tested on a System i 550 partition running i5/OS V5R4. We tested the OpsNav features by using the iSeries Navigator program that came with iSeries Access for Windows V5R4M0. Information presented here may also work with earlier versions of the i5/OS and OS/400 operating systems and with pre-V5R4M0 versions of iSeries Navigator. However, earlier versions may have slightly different features due to improvements that were made from release to release.