Function Junction – Securing Applications

Function Junction – Securing Applications

The ability to lock down access to applications integrated into IBM i has been a long-time feature. This feature has been best known in the past as Application Administration and was often accessed either through IBM i Access for Windows using System i Navigator or by the Navigator for i web interface. With the introduction of New Navigator (the new Navigator for i web interface), the name of Application Administration has changed – sort of.

The feature as it’s accessed through the IBM i command line is called Function Usage. It can be accessed using the WRKFCNUSG command. New Navigator is now adopting this same name so that there is no confusion going forward as to what you’re working with. To access Function Usage in New Navigator, connect to the server you want to manage, hover over the padlock icon on the left, and then click Function Usage.

Function Junction – Securing Applications

 

What comes on the screen next is a list of all the Function IDs that you can control access to on the system. The list is a bit overwhelming, as there are over 200 different Function IDs listed. Fortunately, each column has a built-in filter for quick searching. Today, for example, we’re going to look at locking down access to your FTP server. Type ‘logon’ in the Function Name column. Right-click on Logon Server and click Change.

 

Function Usage

There are two Default Authorities:  Allowed and Denied. Both carry two different philosophies. Allowed is for those who want to allow access to everyone but deny a few users from accessing. Denied is for those who want to deny access to everyone but allow a few users to access. Most often you will choose the latter when locking down applications. For this example, we are denying all users but we are explicitly allowing user profile ITECHSOL to be able to access this function.

 

Change Function Usage

An excellent option on each of these Function IDs is *ALLOBJ special authority. Having it set to a value of Used means that if you are a profile with *ALLOBJ special authority, you are allowed to use it. If it’s set to Not used, then you cannot access it if you’ve been denied access. This allows you to easily give access to system administrators for functions like FTP or looking at job logs.

Using the example above, if I try to access the FTP server using my profile, smciver, I am going to get a failure message:

Failure Message

 

That’s all there is to it. I encourage you to research the different Function IDs and make sure to assess your environment thoroughly before implementing!

More From This Month:

Leave a Comment

Your email address will not be published. Required fields are marked *