The blog post on Functional Usage Capabilities gives an overview of function usage IDs. Since that blog was written, two additional function usage IDs that were introduced for Db2 access control. These function usage IDs were added in the 6.1 and 7.2 releases.
The two function usage IDs are:
- QIBM_DB_ZDA – TOOLBOX APPLICATION SERVER ACCESS
This function usage ID allows the ability to restrict access to the optimized server that handles DB2 requests from clients. Server access is used by the ODBC, OLE DB and .NET providers that ship with IBM i Access for Windows as well as JDBC Toolbox, Run SQL Scripts, and other parts of System i Navigator and Navigator for i Web console. It provides an easy alternative (rather than writing an exit program) to control access to these functions from the server side. - QIBM_DB_DDMDRDA – DDM & DRDA APPLICATION SERVER ACCESS
This function usage ID allows the ability to restrict access to the DDM and DRDA application server. It provides an easy alternative (rather than writing an exit program) to control access to DDM and DRDA from the server side.
The documentation on the QIBM_DB* function usage IDs is in the Knowledge Center topic Authority Options for SQL Analysis and Tuning.
These function usage IDs are available on the WRKFCNUSG and CHGFCNUSG commands. The default values are to allow access. Navigator for i displays these function usage capabilities; they are found within the Host Applications, under the IBM i > Database grouping. The following screen capture shows an example:
The following screen capture shows an example of the QIBM_DB_ZDA function usage with customization; I have denied user DAWNMAY from having access to the ToolBox Application server; this means user DAWNMAY cannot run functions that require the QZDASOINIT job.
If you restrict a user with the IBM_DB_QZDA function usage ID as my example above shows, that user will not be able to use any functions from the GUI that require that requires the QZDASOINIT server job. For example, if DAWNMAY attempts to run Access Client Solutions, Run SQL Scripts, the following error occurs:
This may be a little difficult to debug. Security auditing can be used to track authorization failures and information regarding the usage failure of the function is logged in the audit journal.
If you have the need to restrict or control access to ODBC/JDBC functions or the DDM/DRDA server, you have an easy way to do this.
The article, Add QIBM_DB_ZDA and QIBM_DB_DDMDRDA function usage IDs, covers all the information I’ve highlighted in this blog and it has additional information on how to use the audit journal to see if the function usage check fails.
This blog post was edited for currency on March 17, 2020.
This blog post was originally published on IBMSystemsMag.com and is reproduced here by permission of IBM Systems Media.