Rolling Back Root Shares Carefully and Successfully

We’ve had a lot of questions recently on how to safely remove an IBM i root directory share in NetServer. Until IBM i 7.4, the only way to do it practically is a little cavalier. You essentially pick a time of day that isn’t too busy, inform your users, and then break the root share in a controlled fashion. How do you break it? Well, you can remove the share or make it read-only, and then you see who complains. If the complaints are minimal, you service those users by finding out what they used to do, then show them the new way. Most likely they’re heading for a subdirectory via the root share so creating them a direct share is the most appropriate course of action.

In IBM i 7.4, we can safely determine if a root share is in use by turning on Authority Collection for the root. We do that with the following command:

CHGAUTCOL OBJ(/) AUTCOLVAL(*OBJINF)

Now what happens is every time someone accesses the root directory, Authority Collection will keep track of those touchpoints.

Now, we can view anyone’s NetServer root access with SQL. The problem is we need to identify NetServer hits vs someone accessing the IFS root via an application or maybe just doing a WRKLNK ‘/’ command. We do this by only selecting Authority Collection data for the QZLSFILE jobs which are used by NetServer.

select authorization_name,check_timestamp from QSYS2.AUTHORITY_COLLECTION_FSOBJ where (job_name = ‘QZLSFILE’ OR job_name=’QZLSFILET’) and PATH_NAME = ‘/’

Now we have a list of users who are using the root directory share via NetServer. Time to pay those folks a visit to set them up properly by removing the root share and giving them a share to an appropriate directory.

 

More from this month’s newsletter:

2 thoughts on “Rolling Back Root Shares Carefully and Successfully”

  1. Nice article, small correction:
    “In IBM i 7.4, we can safely determine if a root share is in use by turning on Authority Collection for the root. We do that with the following command:

    CHGAUTCOL OBJ(/) AUTCOLVAL(*OBJINF)”

    Authority collection is not turned on by CHGAUTCOL, but by STRAUTCOL.
    Without starting aut col not too much info will be collected.

Leave a Comment

Your email address will not be published. Required fields are marked *