One of the great new functions IBM has built into IBM i as standard, and free of charge in 7.3, is the Authority Collection Services. This works a little like the performance collection services, in that you start it for one or more users to monitor access to objects in one or more Libraries or Directories.
Sounds good I hear you cry but what’s the point of that? – Well, have you even wondered what Security Permissions you actually need as a bare minimum in order to let your users do their job? Well, this is what this tool does, it monitors access to objects and logs what sort of access they need in order to use the applications they actually use, in the way they actually use them.
In short, no more guessing, no more giving users *CHANGE level access if they only need *USE and best of all no need to give users *ALL access just because you are not sure if one function they use might need it at some point.
How does it work?
Well you start it with a simple command, specify for whom and what you want the actual authorities used to be collected. The Operating System then logs the level of the effective level of security authority someone had for each specific object, along with the level they actually needed in order to do what they did.
All this information is logged into a file (OK a table) and you can then report on it later, summarising what access the user had at that time and compare it to what they actually needed.
How to start the Authority Collector
You can start and stop the authority collector using a 5250 Command or via my best mate, the Browser based, free of charge, Navigator for IBM i Client. I call it iNav for short. (https://YourSystemIP:2001)
Regardless of whether you use the 5250 command line or the iNav Graphical interface, there is only one Authority Collection Service, so you can mix and match these interfaces in pretty much any combination. More on that in a ProTip later.
From the command line it’s as simple as running the STRAUTCOL command from the command line, a CL Program or Job Scheduler.
In this example we see me starting the Authority Collector for User ROWTON for all Objects in a Library Called RITMON
As shown in the image below: From the iNav interface, expand “Users and Groups”, then expand “Manage Collections” and from there you can select “Start Authority Collection” and then you can select the user you wish to monitor.
The image below shows the next part of the selection where you can select the objects you wish to monitor.
Once you have started the Authority Collector, you then ask the user you are monitoring to use their applications as they normally would. This can be for a period of minutes, hours or days, basically you monitor them for as long as it takes for them to use all the parts of the application they need.
When they have completed their work, end the monitor and you will be able to see what permissions they had and what permissions they actually needed to do that work.
How to stop the Authority Collector
When you stop the authority collector, it does not wipe the details that have been collected, this data is not deleted until you start the collector again with the “Delete Previous Collection” parameter set to YES or take the option to delete the existing collection DLTAUTCOL.
This means that you can reduce the amount of noise in the collection file by stopping the authority collection service as soon as your testing client has finished doing their work.
To stop the collection service from the 5250 Command line you can use the ENDAUTCOL command as shown below:
Or you can end if via the iNav Graphical as shown below:
Displaying the Authority Collection Data
The data collected by the Authority Collection service is stored in a File (Table) in QSYS2 called Authority_Collection, this is a normal DB2 for i Table so you can use your preferred method to investigate it. From the 5250 command line your options are a little limited, for this example I have used the STRSQL interface and issued the following SQL.
SELECT * FROM QSYS2.AUTHORITY_COLLECTION WHERE USER_NAME = ‘ROWTON’
This is rather crude but you get the idea. Sadly it shows that the 5250 interface is not generally ideal for getting the information you need but with a little effort you can refine the SQL statement and make it work if you need to.
Personally, I prefer the iNav interface, having the extra screen real estate really makes this easier to digest:
Simply take the option to Display the Authority Collection as shown in the screen shot above, specifying the user you wish to monitor.
Then you will get the details in the format shown in the screen shot below.
You can easily see the object in question, the current authority level you have and the all-important level you actually required!
As an added bonus you can export this data in HTML or CSV format (the latter being great for Spreadsheets) and then further query the data and even use it to form part of your documentation.
Summing it all up
This is by no means perfect and is only as complete as your testing, there are also limitations regarding swapping user profiles but as a starting point, it’s fantastic, not to mention it’s free!
If you don’t have a 7.3 production system yet, all is not lost, you can always load your application up in a 7.3 test LPAR, once there you can carry out your monitoring, create your security schema and then apply that to your Production Environment running on the older version of IBM i.
ProTip: I mentioned that you can mix and match the 5250 and iNav interfaces. Well in my experience so far, the best combination seems to be:
- Use the 5250 to do the start and stop (possibly even via the Job Scheduler)
- Use the iNav interface to display and export the data
- Use the exported data with your favourite spreadsheet to summarise and conclude the authorities needed.
Welcome to 2017, I hope you had a great Christmas and New Year. If you want to share your joy with more of our merry band, then please come and join us at one of our 2017 User Group meetings. We will be putting on two events in March, the first in Rochdale and the second in London.
Then our flagship event is in June at the MK Dons Stadium and finally one in the Autumn back in the Midlands.