Managing Permissions Using IBM i Access Client Solutions (ACS) – Object Authorities
If you wish to manage permissions using a graphical format, you’re going to have to use ACS as New Nav currently has no way to view or manage permissions. But not to worry; the interface in ACS is quite usable. In fact, I quite like the ACS interface. To use ACS to manage permissions, launch ACS and then click on Integrated File System. See Figure 7.1. You’ll use this interface regardless of whether you want to manage an object in a directory or a library—not obvious, I realize. (Or you can manage permissions for objects in a library via the Schemas category in ACS.)
Figure 7.1: To manage permissions graphically, launch ACS and then click on Integrated File System.
This launches another window that will take you to the view of your /home directory. If you don’t have a /home directory, it will take you to /root. To navigate somewhere other than your home directory, you can either type the path into the Directory field or use the up arrow to walk back up the path to the previous directory. If you want to manage an object in a library, no problem. Use the path /QSYS.LIB/your_library_name.LIB. See Figure 7.2.
Figure 7.2: To get to the object you want to manage, either type the path in the Directory field or use the up arrow to walk back up the path.
Once you’ve navigated to the right object, right-click and choose Permissions. Another window will be launched, and from there you can modify all authorities. It’s basically a graphical representation of Edit Object Authority (EDTOBJAUT). See Figure 7.3.
Figure 7.3: Permissions in ACS is the same as EDTOBJAUT.
Authorization Lists: IBM i Services
If you’ve heard me speak or read my articles, you know I’m a big fan of securing objects, especially database files, with an authorization list. Two IBM i Services are available for managing authorization lists.
QSYS2.AUTHORIZATION_LIST_USER_INFO is the equivalent of Display Authorization List (DSPAUTL) and shows all of the authorities associated with the list: owner, *PUBLIC, and the private authorities assigned.
If you run this SQL, you get the permissions for all authorization lists on the system.
But you can obviously add a WHERE clause and narrow it down to information for just one list.
I find the other service associated with authorization lists, QSYS2.AUTHORZATION_LIST_INFO, even more useful. It’s the equivalent of the Display Authorization List Objects (DSPAUTLOBJ) command. DSPAUTLOBJ tends to run for a very long time, especially if you have a lot of objects secured by the list. In fact, in previous releases, the command locks the authorization list when the command runs. This can cause noticeable pauses in your application when there are thousands of objects secured by a single authorization list.
The QSYS2.AUTHORZATION_LIST_INFO service eliminates any locking issues. I do not advise you to run the service against all authorization lists (the following SELECT without the WHERE clause). But I do use it often to find the objects secured by a specific authorization list.