Re: DBU and it's competitors

[Ed Fishel <edfishel@xxxxxxxxxx>]

Vern,

The Application Administration support uses the User Function Registration
APIs to manage the functions. The functions are actually registered in the
iSeries Exit Point Registration Facility. (See the description of the
QSYRGFN API if you want more information.)  Starting in V5R3 the WRKFCNUSG,
CHGFCNUSG, and DSPFCNUSG CL commands use some of those same APIs to allow
the functions to be managed from a command line.

In theory any application can uses these APIs to register their own
functions. Security enforcement (and auditing) is done when the application
uses the QSYCKUFU or QsyCheckUserFunctionUsage API to determine if a user
is authorized to use a part of the application that is secured by the
function.

Some (all?) of the functions used by iSeries Navigator are only registered
in the Registration Facility on the first use of Application
Administration. Others functions such as QIBM_ACCESS_ALLOBJ_JOBLOG  (Access
job log of *ALLOBJ job) and QIBM_SERVICE_DUMP (Service dump) are registered
when the operating system is installed.

Ed Fishel

Vern Hamberg wrote on 01/23/2006 03:06:29 PM:

> I'm not sure that AA controls command line entry as such. It is
> meant to control client functions. E.g., it can control whether a
> user can use FTP as a client from an iSeries or it can control
> whether the user can use FTP to connect to the iSeries from another
> box - this is using the iSeries as FTP server. It is also possible
> to control the use of ODBC.  But control is not at the command line
> - controlling FTP as a client from the iSeries is only incidental,
> as I understand it.
>
> It is not clear where the settings are kept - I thought there was a
> global nature to this, but it might be local (except when using a
> central system, V5R2+). Reason I say this is, one item I read said
> that things are kept in the Windows registry. Another question for
> IBM Support, I suppose.
>
> But, in my experience, it is possible to keep someone from using FTP
> and other selected access methods. The security is still standard
> iSeries object security. The App Admin stuff is access control built
> on top of a "properly" secured system.
>
> HTH
> Vern
>
> -------------- Original message --------------
> From: fbocch2595@xxxxxxx
>
> > Thanks Vern.
> >
> > In your experience w/AA is there any way security can be bypassed
> or compromised
> > when using AA strictly over green screen command entry?
> >
> > Another way to ask is does AA encompass or include all security that
green
> > screen does?
> >
> > -----Original Message-----
> > From: Vernon Hamberg
> > To: Midrange Systems Technical Discussion
> > Sent: Sun, 22 Jan 2006 22:42:37 -0600
> > Subject: Re: DBU and it's competitors
> >
> >
> > Not sure why you don't want to work with App Admin - it's really
> > quite simple. It's not the same as the packet stuff. You go into
> > iSeries (Ops) Navigator, right-click on a connection, click on
> > Application Administration, click on the Host Applications tab, then
> > open AS/400 TCP/IP Utilities, then open File Transfer Protocol (FTP),
> > then open the FTP server area and work with the users and block them
> > as needed. It applies, AFAIK, to the user, no matter what PC or
> > whatever they use to try to get in. Not just the one where you set it
> > up. So it should be possible not to install AppAdmin on user PCs and
> > be safe using just your PC for configuration. And you have to have
> > *SECADM anyway to change this stuff. Also, from V5R2 it is possible
> > to have a single server that holds the settings for others.


Ed Fishel,
edfishel@xxxxxxxxxx