| | | | |

Object Statistics: Last_used_object Field – Object Authorities

Note Be careful when you’re evaluating *DIR objects. The last-used date isn’t updated. In other words, you must evaluate the objects in the directory to discover the correct last-used date. In fact, this is where the field last_used_object recently added to both QSYS2.OBJECT_STATISTICS and QSYS2.IFS_OBJECT_STATISTICS table functions is handy. It provides an indication of whether…

|

Authorization Lists: New Nav – Object Authorities

To manage authorization lists in New Nav, click on the padlock icon and choose Authorization Lists as shown in Figure 7.4. You’ll see that all permissions for all authorization lists are displayed. That’s because what IBM has done is run the QSYS2.AUTHORIZATION_LIST_USER_INFO for all autls and displayed the results. To be honest, this isn’t all…

|

Managing Permissions Using IBM i Access Client Solutions (ACS) – Object Authorities

If you wish to manage permissions using a graphical format, you’re going to have to use ACS as New Nav currently has no way to view or manage permissions. But not to worry; the interface in ACS is quite usable. In fact, I quite like the ACS interface. To use ACS to manage permissions, launch…

|

Object Authorities: IBM i Services for Objects in Libraries – Object Authorities

The QSYS2.OBJECT_PRIVILEGES IBM i table function allows you to list a specific object’s permissions. For example: But what I find more interesting and useful is the IBM i Service version of OBJECT_PRIVILEGES, where you can select objects based on specific criteria. It’s useful because this allows you to find those objects in your production libraries…

|

Authority Failure Occurs – Using Authority Collection to Reduce Users’ Authority

When reworking your security scheme, you may miss something or a process may only run periodically and the access wasn’t in the collection when you first did your analysis. I’d encourage you to turn back to the collection to resolve this authority failure if it’s not obvious how much authority is required. Yes, you can…

|

Authority Collection in New Nav – Using Authority Collection to Reduce Users’ Authority

New Nav provides visibility into Authority Collection and, if you’re not comfortable with using SQL, may prove an easier interface for your analysis. To access Authority Collection in New Nav, click on the padlock icon > Authority Collection. From there, you’ll have to choose whether you want the Authority Collection for Users or Objects. In…

| |

Authority Collection for Users: Objects in the IFS – Using Authority Collection to Reduce Users’ Authority

What if your service account accesses objects in the IFS? The collection for the profile requires a slightly different configuration. Unlike objects in libraries, where you can be very specific, you can only specify the object types for which you wish to collect the profile’s access. See Figure 6.4. Figure 6.4: STRAUTCOL for user CWOODBURYT…

| |

Authority Collection for Users: Objects in Libraries – Using Authority Collection to Reduce Users’ Authority

First, you must start a collection for the profile you’re going to investigate. Figure 6.1 shows the Start Authority Collection (STRAUTCOL) command. Specify the profile name and then the libraries containing the objects the profile accesses. The more you can scope down the objects for which you’re going to collect information, the better, as there…

| |

Examining the Audit Journal Using New Nav – User Profiles

New Nav provides a graphic way to view entries in the audit journal. Using the audit journal SQL table functions, audit journal entries can be viewed in New Nav. To access the entries, launch and sign in to New Nav, and then click on the padlock and choose Audit Journaling. You’ll be taken to a…

| |

User Profiles and the Audit Journal – User Profiles

It’s one thing to analyze profiles at a point in time (which is what I’ve been describing so far), but many organizations need to understand user profile configurations over time. For example, some organizations have a requirement to track all profiles created so an auditor can look at a report and determine if the appropriate…