iCan Blog Archive

IBM i Services for Function Usage Information

by | Mar 29, 2016 | IBM i Services, Security | 0 comments

In 2012, I wrote about Function Usage Capabilities. That blog post reviewed user interfaces for function usage information, which includes a set of commands, APIs, and the Application Administration graphical user interface.

Now you also have IBM i Services that you can use to review the function usage information.  These services were introduced with 7.2, but they are also available on 7.1 with the Db group PTF (level 26 or later).  There are two services: FUNCTION.INFO and FUNCTION.USAGE.

QSYS2.FUNCTION_INFO
The FUNCTION_INFO service allows you to review all of the function usage capabilities that exist. The command interface (WRKFCNUSG) allows you to see this information, but it’s tedious to look at the details for many different function usage IDs.

For example, the following SQL statement will return all the function usage information, sorted by product then groups within each product.

SELECT * FROM QSYS2.FUNCTION_INFO ORDER BY FUNCTION_PRODUCT_ID, FUNCTION_GROUP_ID;

This service returns many columns of information – 

You’d have to code the Retrieve Function Information (QSYRTVFI) API to get this type of consolidated view of function usage information – but this service makes it very easy!

QSYS2.FUNCTION_USAGE
The FUNCTION_USAGE service allows you to review the configuration information for function usage IDs. Again, you can get to this information with the Retrieve Function Usage Information (QSYRTFUI) API or using the command interface – but this service provides you an easy way to review what function usage IDs have been configured to allow or deny access.

A very simple example is to list all of the function usage IDs that have authorization configured – to either allow or deny user access.  Some are shipped with IBM user profiles granted access.  

SELECT * FROM QSYS2.FUNCTION_USAGE;

In this example, you can see that I have denied user DAWN from using the Active Jobs function in Navigator for i.

Getting this same information via the DSPFCNUSG or WRKFCNUSG commands would be tedious since you have to display usage for each function ID individually.

If you aren’t familiar with function usage capabilities, read the article “Granular security control with function usage.”

This blog post was edited to fix broken links on April 15, 2020.

This blog post was originally published on IBMSystemsMag.com and is reproduced here by permission of IBM Systems Media.