|

Authority Collection in New Nav – Using Authority Collection to Reduce Users’ Authority

New Nav provides visibility into Authority Collection and, if you’re not comfortable with using SQL, may prove an easier interface for your analysis. To access Authority Collection in New Nav, click on the padlock icon > Authority Collection. From there, you’ll have to choose whether you want the Authority Collection for Users or Objects. In this case, I chose Users. From there, specify the profile you’re investigating and then choose the information you want to view. If you want all of that user’s entries, choose View Collection. Just like all other New Nav windows, if you want different columns, click on the three vertical dots and adjust to your preference. That preference will be remembered going forward.

You may find handy what I call “shortcut filters.” Rather than seeing all entries (by choosing View Collection), perhaps I want to see the directories the profile is accessing. In this example, I chose IFS directories. Figure 6.6 shows the summary of the directories accessed by the profile CWOODBURYT.

Figure 6.6: Choose IFS Directories from Authority Collection for a User to see the summary of directories accessed.

Notice the /QIBM/ entries that I mentioned in my earlier example. Using this view, I can ignore those and focus on the directories I want to secure. Highlight the directory, right-click, and choose Show All Items to see the entries for that specific directory.

Using Authority Collection to Prepare to Move Off of QSECURITY 20

If you’re using this process to determine how to remove *ALLOBJ from regular application users running security level 20, I’m going to suggest that you first determine whether you’re going to rework your application’s entire security scheme (perhaps to use adopted authority to access database files) or you’re going to only secure the files and directories containing the most critical information.

If you’re going to rework your application’s security design, I suggest that you do that first, prior to ever looking at the Authority Collection. That way, you can eliminate the application programs that adopt from your analysis (as I described previously) and determine if you’ve gotten everything configured correctly. Once you believe you have everything configured correctly, you can remove profiles’ *ALLOBJ while the system is still at level 20 and test your application.

If you are only going to secure a few objects, the analysis is easiest if you use the Authority Collection at the object level, which was introduced in IBM i 7.4. I’ll provide detailed examples of that in the next chapter. You can use Authority Collection at the User level if you’re simply trying to determine what a typical user’s access requirements are. The benefit of Authority Collection for Objects is that it will record all profiles that access the object along with the authority required. To get the list of all profiles accessing the object at IBM i 7.3 and earlier, you’ll need to turn on *ALL object auditing for the objects and examine the ZR (object reads) and ZC (object updates) audit journal entries. Or you can configure Authority Collection for every profile on the system, which is clearly not the most practical approach!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *