A reader comment from last week’s blog asked the question:
Where can I find detailed documentation that describes exactly what each of these FUNCTION IDs controls? Does one of the available function IDs allow me to control interactive SQL usage? I have some users (new programmers, support people, etc.) where I want to prohibit the DELETE, UPDATE, CREATE operations but allow a SELECT operation.
I’ll answer the second part of the question first: No, function usage does not allow you to control interactive SQL use. You can control access to DB/SQL administration and monitoring facilities however; the DB/SQL function usage introduced with the IBM i 7.1 release. The Authority Options for SQL Analysis and Tuning topic in the Knowledge Center describes these function usage capabilities.
When I started to compose this article, I was thinking “This will be such an easy blog to write!” Was I wrong! I knew a lot of components had taken advantage of the function usage capability, but I didn’t realize just how many. And of course, I also thought that the documentation on the various function IDs would be mostly a matter of pulling things together, but I was also wrong about that.
So where can you find some additional documentation?
Three places:
- If you use the Display Function Usage or Work with Function Usage commands, you can display information about each Function Usage ID. One piece of information is the Description, which provides a brief overview of what that Function Usage ID is for.
However, the easier approach is to use the GUI. The Host Applications listed use the descriptive name which is much more meaningful than the QIBM… ID you find on the command-line interface. The screen capture below is an example of what you will see. Many of the functions are self-describing and you can pretty easily figure out what is controlled from the description. - Search for the QIBM… string in the IBM i Knowledge Center. This search will return all the interfaces that check on the specified identifier and you will get a pretty good idea of what the function is for. However, it turns out that not all function IDs are documented in the Knowledge Center, and those that are generally have information scattered.
- Internet search. Some of the functions have had articles written on them when they were first made available. An Internet search on the QIBM…. string may find some additional information beyond what is in the IBM i Knowledge Center.
When I started to write this blog, my intent was to include the full set of documentation and chase down information on the IDs that are not documented in the Knowledge Center. However, when the initial draft of this blog was at 16 pages (!). I realized this was a topic beyond what I can cover in the blog.
Article Granular Security Control with Function Usage, and the reference document it links, IBM i Function Usage IDs, is the completed documentation.
Finally, there is an old Redbooks publication, Operations Navigator V5R1 Volume 1: Overview and More, that has a good chapter on Application Administration that is still applicable. Note that the Redbooks pub is based upon the Operations Navigator client, but the capabilities are the same, even in the browser (Navigator for i).
This blog post was edited for currency on February 21, 2020.
This blog post was originally published on IBMSystemsMag.com and is reproduced here by permission of IBM Systems Media.