February 08, 2017
Last week I wrote about Application Administration with Navigator for i
. I suspect most readers already knew about application administration with Navigator.
Access Client Solutions (ACS)
has had the ability to restrict the usage of specific functions by modifying the AcsConfig.properties file. Restricting access in this way removes the function from the main GUI and disables its usage from the command line. If you aren’t aware of this capability and want to know more, refer to the Getting Started
document, Section 9.5 Customized Packages
But did you know that with the latest ACS update (January 2017), you could also use Application Administration to restrict the tasks that a user can access with Access Client Solutions?
If you had restricted access to Navigator tasks by using Application Administration, or if you used the Client Applications to restrict features of IBM i Access for Windows, those application administration restrictions now apply to ACS.
Functions that are controlled by Application Administration for Navigator functions are:
Integrated File Systems
Database tasks (Run SQL Scripts and SQL Performance Center)
Functions that are controlled by Application Administration for Client Applications are:
The support added in the January 2017 update allows you to restrict each of the above functions in its entirety by disabling the entire category using App Admin.
As you are getting started with this support, you may stumble upon a situation where it appears as if the customizations do not take effect. ACS caches the fact that a user is authorized to a function; if a user had been using ACS and becomes restricted from a function, ACS must be restarted for the restriction to take effect.
Below I show the details of what must be set in Application Administration in order for the user to be restricted from the corresponding function in ACS. In all of my examples, I have customized the Application Administration settings to exclude user DAWNMAY from specific functions.
can be restricted from access by customizing Printer Output in the Basic Operations section of Navigator for i functions.
When a user is not allowed to use the Printer Output functions, taking Printer Output from the main ACS menu results in the following error:
In the remaining examples, I’m not going to show the error messages; they all are similar and state the function usage that has been restricted. FYI, if you are not sure what the text string means (e.g., QIBM_XD1_OPNAV_PRINTOUT), you can use the WRKFCNUSG command which will display the text string along with a brief function description. In addition, I wrote an article summarizing function usage IDs
some time ago.
Integrated File System
To restrict access to the Integrated File System tasks within ACS, you need to restrict access to all file systems within Navigator Application Administration, as the following screen capture shows.
The SQL Performance Center
can be restricted from access by customizing by denying access to both SQL Performance Monitors and SQL Plan Cache in the Databases section of Navigator for i functions
Run SQL scripts
can also be restricted by disallowing a user from all four of the database functions in Navigator.
Customizing the configuration under Client Applications, System i Access for Windows -> 5250 Display and Printer Emulator restricts the 5250 Emulator.
When a user is restricted from using the 5250 Emulator, they will be able to start the 5250 emulator and will get prompted to sign on. However, the sign on will fail with an error that the user is not allowed to use the 5250 Emulator, as the following screen capture shows:
Customizing the configuration under Client Applications, System i Access for Windows -> Data Transfer restricts Data Transfer.
Upload and Download can be independently restricted.
There’s still more work to do to make the ACS support of Application Administration equivalent to that of System i Navigator (client application). This January 2017 update is another step in that direction.
Posted February 08, 2017 | Permalink