reference information on the function usage ids … of service functions, the function usage ids...

© Copyright IBM Corporation 2013 TrademarksIBM i function usage IDs of 24

IBM i function usage IDsReference information on the function usage IDs

Dawn M. May ([email protected])Consultant IBM

17 October 2013

Function usage provides the ability to implement granular security controls rather than grantingusers powerful special authorities such as all object, job control, or service. This article reviewsall of the function usage IDs that are available and their purpose.

Reference of IBM i function usage IDs

This reference provides a single resource that contains information about all the function usageIDs available on IBM i. This list is based upon the command-line interface (CLI) information,but also includes screen captures of the function usage capabilities as they are shown in IBM®Navigator for i.

For each function usage ID you can find:

• The function description and the function ID.• The documentation on that function usage ID from various places in the IBM i information

center.• A list of commands, application programming interfaces (APIs), or interfaces that support that

function ID.

This reference was created to provide a single source that documents these function usage IDs.

Note: Throughout this article you may see "IBM Navigator for i", "Navigator for i", "System iNavigator", or "iSeries Navigator". The text in many places is an exact copy of the help text yousee on IBM i 7.1. In order to be consistent, the text here was not modified from the original text.

Refer to the Granular security control with function usage article for general information on functionusage.

Function usage in the IBM i operating systemThe set of function usage IDs that are provided with the IBM i operating system product areidentified with the QIBM_BASE_OPERATING_SYSTEM product ID.

http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/developerworks/ibm/trademarks/

mailto:[email protected]

www.ibm.com/developerworks/ibmi/library/i-granular-security/

developerWorks® ibm.com/developerWorks/

IBM i function usage IDs of 24

On the graphical user interface (GUI), these are the functions within the IBM i grouping, as thefollowing screen capture shows:

IBM Tivoli® Directory Server (LDAP) Administrator - QIBM_DIRSRV_ADMIN

This function usage ID binds user profiles as an LDAP administrator and it is for the IBM TivoliDirectory Server (LDAP). You can grant administrator access to user profiles that have been givenaccess to the Directory Server Administrator (QIBM_DIRSRV_ADMIN) function identifier (ID).

All object functions

• Access job log of *ALLOBJ job - QIBM_ACCESS_ALLOBJ_JOBLOG

If a user has *JOBCTL special authority, this function usage can provide access to the job logof a job with *ALLOBJ special authority. Or, put another way, this function usage can allow auser without *ALLOBJ special authority to view a user's active job log that has *ALLOBJ specialauthority

To display a job log for a job that has all object (*ALLOBJ) special authority, you must have*ALLOBJ special authority or be authorized to the All Object Job Log function of IBM ithrough Application Administration in IBM System i® Navigator. The Change Function Usage(CHGFCNUSG) command, with a function ID of QIBM_ACCESS_ALLOBJ_JOBLOG, can also beused to change the list of users that are allowed to display a job log of a job with *ALLOBJ specialauthority.

Use of the following command and APIs can be controlled using this function ID:

• Display Job Log (DSPJOBLOG)• Open List of Job Log Messages API• List Job Log Messages API• Retrieve XML Service Information (QSCRXMLI) API

• Trace any user - QIBM_ALLOBJ_TRACE_ANY_USER

When you are using various trace commands, you can start traces that trace multiple jobs. Forexample, if you specify a generic user name for the job name (JOB) parameter on the Start

ibm.com/developerWorks/ developerWorks®


Trace command, you must have all object (*ALLOBJ) special authority, or be authorized tothe Trace any user function of IBM i through Application Administration in System i Navigator.You can also use the Change Function Usage (CHGFCNUSG) command, with a function ID ofQIBM_ALLOBJ_TRACE_ANY_USER, to change the list of users that are allowed to perform traceoperations.

The Start Trace command has the ability to specify generic job names to trace. The Trace TCPApplication command allows you to dynamically start additional traces on different jobs. The abilityto trace any job is very powerful, so, the requesting user profile must either have *ALLOBJ specialauthority or have access to the QIBM_ALLOBJ_TRACE_ANY_USER function.

Use of the following commands can be controlled using this function ID:

• Start Trace (STRTRC)• Trace TCP Application (TRCTCPAPP)

• Watch any job - QIBM_WATCH_ANY_JOB

In order to establish a watch on a job, job control (*JOBCTL) special authority is needed if therequesting job is running under a different user from the job user identity of the job being watched.All object (*ALLOBJ) special authority is needed if *ALL is specified for the watched job name, or ifa generic user name is specified.

A user that does not have *ALLOBJ special authority can perform the function if they areauthorized to the Watch any job function of IBM i through Application Administration in Systemi Navigator. You can also use the Change Function Usage (CHGFCNUSG) command, with afunction ID of QIBM_WATCH_ANY_JOB, to change the list of users that are allowed to start andend watch operations.

Use of the following commands can be controlled using this function ID:

• End Watch (ENDWCH)• End Watch API• Start Watch (STRWCH)• Start Watch API• Start Communications Trace (STRCMNTRC)• Start Trace (STRTRC)• Trace Connection (TRCCNN)• Trace TCP Application (TRCTCPAPP)• Trace Internal (TRCINT)



Database functions

You can control access to IBM DB2® for i administration and monitoring facilities with functionusage capabilities; the DB2 for i function usage is available on both 6.1 and 7.1 versions; theAuthority Options for SQL Analysis and Tuning IBM i 7.1 Information Center topic describes thesefunction usage capabilities.

• Database Administrator - QIBM_DB_SQLADM

The Database Administrator function is needed whenever a user is analyzing and viewing SQLperformance data. Some of the more common functions are displaying statements from the SQLplan cache, analyzing SQL performance monitors and SQL plan cache snapshots, and displayingthe SQL details of a job other than your own.

• Database Information - QIBM_DB_SYSMON

The Database Information function provides much less authority than the DatabaseAdministrator function. The primary use is to allow a user to examine high-level databaseproperties. For example, a user without *JOBCTL or QIBM_DB_SQLADM authority, can beallowed to view the SQL plan cache properties if granted authority to QIBM_DB_SYSMON.

The following table (which was copied from the 7.1 information center) summarizes the capabilitiesthat are controlled by the QIBM_DB_SQLADM and QIBM_DB_SYSMON function IDs for databaseperformance and analysis.

User action *JOBCTL QIBM_DB_SQLADM QIBM_DB_SYSMON No authority

SET CURRENT DEGREE(SQL statement)

Allowed Allowed Not allowed Not allowed

CHGQRYA commandtargeting a different user'sjob


STRDBMON orENDDBMON commandstargeting a different user'sjob


STRDBMON orENDDBMON commandstargeting a job thatmatches the current user

Allowed Allowed Allowed Allowed

QUSRJOBI() API format900 or System i Navigator'sSQL Details for Job

Allowed Allowed Allowed Not allowed

http://publib.boulder.ibm.com/infocenter/iseries/v7r1m0/topic/rzahf/rzahfauthopt.htm



DUMP PLAN CACHEPROPERTIES procedure

Allowed Allowed Allowed Not allowed

Visual Explain within RunSQL Scripts

Allowed Allowed Allowed Allowed

Visual Explain outside ofRun SQL Scripts


ANALYZE PLAN CACHEprocedure


DUMP PLAN CACHEprocedure


MODIFY PLAN CACHEprocedure


MODIFY PLAN CACHEPROPERTIES procedure(currently does not checkauthority)


CHANGE PLAN CACHESIZE procedure (currentlydoes not check authority)


START PLAN CACHEEVENT MONITORprocedure


END PLAN CACHEEVENT MONITORprocedure


END ALL PLAN CACHEEVENT MONITORSprocedure


• TOOLBOX APPLICATION SERVER ACCESS - ZDA - QIBM_DB_ZDA

This function usage ID allows the ability to restrict access to the optimized server that handles DB2requests from clients. Server access is used by the Open Database Connectivity (ODBC), ObjectLinking and Embedding (OLE) DB and .NET providers that are provided with with IBM i Accessfor Windows as well as Java Database Connectivity (JDBC) Toolbox, Run SQL Scripts, and otherparts of System i Navigator and Navigator for i web console. It provides an easy alternative (ratherthan writing an exit program) to control access to these functions from the server side.

• DDM & DRDA APPLICATION SERVER ACCESS - QIBM_DB_DDMDRDA

This function usage ID allows the ability to restrict access to the distributed data management(DDM) and Distributed Relational Database Architecture (DRDA) application server. It provides aneasy alternative (rather than writing an exit program) to control access to DDM and DRDA from theserver side.

Refer to the Add QIBM_DB_ZDA and QIBM_DB_DDMDRDA function usage IDs article ondeveloperWorks for more information on these two usage IDs. You will need the Database Groupprogram temporary fix (PTF) installed for this support:

• IBM i 6.1 - SF99601 Level 25 or later

https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20i%20Technology%20Updates/page/Add%20QIBM_DB_ZDA%20and%20QIBM_DB_DDMDRDA%20function%20usage%20IDs



• IBM i 7.1 - SF99701 Level 16 or later

Service functions

In general, all of the function usage IDs in the Service functions category allow more granularaccess to service functions rather than using *SERVICE special authority. Because there are manytypes of service functions, the function usage IDs were created under various categories to allowaccess to sets of service functions.

The Cluster Management function usage capabilities are not used. The IDs listed below might beremoved in a future release of the operating system.

• Cluster Administration - QIBM_QCST_SERVICE_CLUSTADMINThis function usage ID provides support to administer a cluster.

• Cluster Operation - QIBM_QCST_SERVICE_CLUSTOPERThis function usage ID provides support to operate a cluster.

• Disk units - QIBM_QYAS_SERVICE_DISKMGMT

This function usage ID provides support to work with disk units.

Several of the disk management APIs (Start/End Disk Management Operation/Session set ofAPIs) can be controlled with this function rather than requiring the user profile to have *SERVICEspecial authority. These APIs are used for the Disk Management functions through the GUI, andtherefore, this function also applies to the GUI capabilities.

The following disk management APIs can be controlled using this function ID:

• End Disk Management Operation API• End Disk Management Session API• Start Disk Management Session API• Start Disk Management Operation API

• DISK WATCHER - QIBM_SERVICE_DISK_WATCHER

http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/index.jsp?topic=/apis/config2.htm



Disk watcher is a performance data collector designed to gather detailed data regarding diskusage. To use the disk watcher commands, you must have the service (*SERVICE) specialauthority, or be authorized to the DISK WATCHER function.

The following disk watcher commands can be controlled using this function ID:

• Add Disk Watcher Definition (ADDDWDFN)• Remove Disk Watcher Definition (RMVDWDFN)• End Disk Watcher (ENDDW)• Start Disk Watcher (STRDW)

• Service dump - QIBM_SERVICE_DUMP

The service dump functions are similar to the service trace functions, but dumps have their ownfunction ID so that you can control access to dump interfaces separately. You can use the servicedump function rather than requiring the user profile to have *SERVICE special authority to collectdump information. As you can see, not all dump commands support the function usage capability.

The following service commands and APIs can be controlled using this function ID:

• Dump Main Memory Information (DMPMEMINF)• Dump User Profile (DMPUSRPRF)• Print Internal Data (PRTINTDTA)• Collect Hung Job Service Documentation API• Log Software Error API• Performance Miscellaneous File System Functions API

• JOB WATCHER - QIBM_SERVICE_JOB_WATCHER

Job watcher is a performance data collector designed to gather detailed data regarding jobperformance. To use the job watcher commands, you must have service (*SERVICE) specialauthority, or be authorized to the JOB WATCHER function.

The following job watcher commands can be controlled using this function ID:

• Add Job Watcher Definition (ADDJWDFN)• Remove Job Watcher Definition (RMVJWDFN)• End Job Watcher (ENDJW)• Start Job Watcher (STRJW)

• Service trace - QIBM_SERVICE_TRACE

This is the function usage that started it all; the addition of the TRCCNN command to the operatingsystem is what started the use of function usage by components within the operating system. Youcan use the service trace function rather than requiring the user profile to have the *SERVICEspecial authority to collect trace data.



The QIBM_SERVICE_TRACE function usage is broad.

The following service commands and APIs can be controlled using this function ID:

• Start Trace (STRTRC)• End Trace (ENDTRC)• Print Trace (PRTTRC)• Delete Trace (DLTTRC)• Add Trace Filter (ADDTRCFTR)• Remove Trace Filter (RMVTRCFTR)• Join Trace API

• Trace Internal (TRCINT)• Trace Connection (TRCCNN)• Trace TCP Application (TRCTCPAPP)

• Start Communications Trace (STRCMNTRC)• End Communications Trace (ENDCMNTRC)• Print Communications Trace (PRTCMNTRC)• Delete Communications Trace (DLTCMNTRC)• Check Communications Trace (CHKCMNTRC)• Dump Communications Trace (DMPCMNTRC)• Change Communications Trace Configuration API

• Retrieve Watch Information API• Retrieve Watch List API

• Change Cluster Recovery (CHGCLURCY)• Dump Cluster Trace (DMPCLUTRC)• Work with Cluster (WRKCLU) with *SERVICE option

• Dump Trace (DMPTRC)

• Work with Traces (WRKTRC)

• Add PEX Definition (ADDPEXDFN)• Change PEX Definition (CHGPEXDFN)• Remove PEX Definition (RMVPEXDFN)• Work with PEX Definitions (WRKPEXDFN)• Add PEX Filter (ADDPEXFTR)• Remove PEX Filter (RMVPEXFTR)• Work with PEX Filters (WRKPEXFTR)• End Performance Explorer (ENDPEX)• Start Performance Explorer (STRPEX)• Print PEX Report (PRTPEXRPT)• Create PEX Data (CRTPEXDTA)



• Delete PEX Data (DLTPEXDTA)

• Service watch - QIBM_SERVICE_WATCH

The service watch function allows you to control who can use the watch interfaces. You can usethe service watch function rather than requiring the user profile to have the *SERVICE specialauthority to use watches.

The following watch commands and APIs can be controlled using this function ID:

• Start Watch (STRWCH)• End Watch (ENDWCH)• Work with Watches (WRKWCH)

If you want to start traces through the Work with Watches interface, you might also need toconsider the QIBM_SERVICE_TRACE function ID if access to trace commands are controlled inthat manner.

• Start Watch API• End Watch API• Retrieve Watch Information API• Retrieve Watch List API

Thread control - QIBM_SERVICE_THREAD

With thread control authority, you can retrieve information about the threads of another job. Threadcontrol can be granted and revoked for individual users by using System i Navigator ApplicationAdministration support, or by using the Change Function Usage Information (QSYCHFUI) API,with a function ID of QIBM_SERVICE_THREAD.

The following thread control capabilities can be controlled using this function ID:

• Hold, release, or end a thread• Retrieve Thread Attributes API• Control Thread API

Function usage for iSeries Navigator tasks on the Web

In the V5R3 release, IBM introduced the System i Navigator Tasks on the Web interface. This wasthe early work that ultimately resulted in the IBM Navigator for i web console. The ability to controlaccess to the tasks on the web was managed through function usage. These tasks on the web arestill available.

These function usage IDs are documented in the information center under the ConfiguringApplication Administration topic within the System i Navigator tasks on the Web topic; but theQIBM_INAV_WEB... strings are not documented and thus you will not find them through a search.In addition, the documentation refers to these capabilities using the "System i Navigator" name,

http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzatg/rzatgoverview.htm



http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzatg/rzatgappadmin.htm

http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzatg/rzatgappadmin.htm



although the function IDs in the GUI use the "iSeries Navigator" name. The default for thesefunction IDs restricts access to the tasks on the web to users with *ALLOBJ special authority.

The use of these function IDs is straightforward if you are familiar with Navigator tasks on the Web.

• Configure iSeries Navigator Web Interface - QIBM_QINAV_WEB_CONFIGURE

You can configure theSystem i Navigator tasks on the Web application from this server.

It allows you to grant or limit access to the System i Navigator Web configuration (task=config, orclick Configuration on the home page). The default is set to All Object Access. The configurationpage has options for setting the tracing levels and setting up SSL.

• Manage Server Through Web Interface - QIBM_QINAV_WEB_FUNCTIONS

This server can be managed by anySystem i Navigator tasks on the Web application.

It specifies that this system (server) can be managed through any System i Navigator taskperformed from the web, regardless of the system that is hosting the System i Navigator tasks onthe Web application. The default is set to All Object Access.

• Use of iSeries Navigator Web Interface - QIBM_QINAV_WEB_INTERFACE

This function ID allows the use of System i Navigator tasks on the Web application from thissystem (server) for the user.

It specifies to grant or limit access to the System i Navigator Web application. The default is set toAll Object Access.

Function usage for Digital Certificate Manager

• *SYSTEM certificate store - QIBM_QSY_SYSTEM_CERT_STORE

This function ID provides access to the *SYSTEM certificate store.

If a user profile name is specified, then the specified user profile is given access to theQIBM_QSY_SYSTEM_CERT_STORE function. This function gives the specified user profile



access to the *SYSTEM certificate store without having to be authorized to the actual object, butonly when using the certificate associated with the application to establish a secure session.

The following API can be controlled using this function ID:

• Register Application for Certificate Use API

• Object Signing Applications

This is a blank placeholder and no function usage IDs exist within it.

Function usage for Management Central

Management Central Administration Access - QIBM_QYPS_MGTCTRL_SUPER_USER

This function ID gives administrators access to all management central tasks, definitions, monitors,and system groups.

Function usage for TCP/IP utilities

This set of IDs are all for controlling access to File Transfer Protocol (FTP) functions. You canimplement fine-tuned access control to FTP using function usage. Most of these IDs are sufficientlydescriptive for you to figure out what they control now. On the command-line interface, you nowknow that "QTMF" is the component identifier for FTP.

FTP Client functions



Function Function usage ID Description

Initiate Session QIBM_QTMF_CLIENT_REQ_0 Start an FTP Client session. Must be allowedto do other client operations.

Change Directory QIBM_QTMF_CLIENT_REQ_3 Use of client subcommand LCD to change thecurrent directory.

CL Commands QIBM_QTMF_CLIENT_REQ_9 Use of client subcommand SYSCMD to run CLcommands.

Clear Command Channel QIBM_QTMF_CLIENT_REQ_10 Use of the client subcommand CCC to endencryption of the control connection.

Receive Files QIBM_QTMF_CLIENT_REQ_7 Use of client subcommands GET and MGET toreceive files.

Send Files QIBM_QTMF_CLIENT_REQ_6 Use of client subcommands PUT, MPUT, andAPPEND to send files.

FTP Server functions


Logon Server QIBM_QTMF_SERVER_REQ_0 Permission to log on to the FTP server. Mustbe allowed to use other server operations.

Change Directory QIBM_QTMF_SERVER_REQ_3 Use of the server subcommand CWD tochange current directory.

CL Commands QIBM_QTMF_SERVER_REQ_9 Use of the server subcommand RCMD to runCL commands.

Clear Command Channel QIBM_QTMF_SERVER_REQ_10 Use of the server subcommand CCC to endencryption of the control connection.

Create Directory/Library QIBM_QTMF_SERVER_REQ_1 Use of the server subcommand MKD to createdirectories.

Delete Directory/Library QIBM_QTMF_SERVER_REQ_2 Use of the server subcommand RMD to deletedirectories.

Delete Files QIBM_QTMF_SERVER_REQ_5 Use of the server subcommand DELE to deletefiles.



List Files QIBM_QTMF_SERVER_REQ_4 Use of server subcommands LIST and NLST.

Receive Files QIBM_QTMF_SERVER_REQ_7 Use of server subcommands STOR, STOU,and APPE to receive files from client.

Rename Files QIBM_QTMF_SERVER_REQ_8 Use of server subcommands RNFR and RNTOto rename files.

Send Files QIBM_QTMF_SERVER_REQ_6 Use of the RETR server subcommand to sendfiles to client.

Function usage for Common Information Model (CIM)

The following IDs are for controlling CIM functions. CIM is included with the 5722-UME (for V5R4)or 5770-UME (for 6.1 or 7.1) licensed program product.

CIM class operations


Create Class QIBM_QYCM_CIMOM_CREATE_CLASS Permission to create a class.

Delete Class QIBM_QYCM_CIMOM_DELETE_CLASS Permission to delete a class

Enumerate Class Names QIBM_QYCM_CIMOM_ENUM_CLASS_NAM Permission to retrieve a list of class names

Enumerate Classes QIBM_QYCM_CIMOM_ENUM_CLASS Permission to retrieve a list of classes

Get Class QIBM_QYCM_CIMOM_GET_CLASS Permission to retrieve a class

Modify Class QIBM_QYCM_CIMOM_MODIFY_CLASS Permission to modify a class

CIM qualifier operations




Delete Qualifier QIBM_QYCM_CIMOM_DELETE_QUAL Permission to delete a qualifier

Enumerate Qualifiers QIBM_QYCM_CIMOM_ENUM_QUAL Permission to retrieve a list of qualifiers.

Get Qualifier QIBM_QYCM_CIMOM_GET_QUAL Permission to retrieve a qualifier

Set Qualifier QIBM_QYCM_CIMOM_SET_QUAL Permission to set a qualifier

System management operations

Access to the CIM Performance Provider - QIBM_QUME_CIMOM_METRIC

This function ID provides the permission to access the performance data by a metrics provider.

With IBM Systems Director, you can view and monitor many IBM i performance metrics. This datacomes from Collection Services, but is made available to Systems Director through a CIM metricsprovider. You can control access to the CIM performance data metrics provider with this functionusage ID. If you restrict access to a user, that user will not be able to see performance metricsfrom Systems Director.

Function usage for Backup, Recovery, and Media Services (BRMS)

The following IDs are for BRMS, included with the 57xx-BR1 product. For more information aboutthese function usage IDs, refer to the IBM i information center and read the The Functional UsageModel and BRMS Security Considerations. The BRMS documentation does a pretty good job atdocumenting their use of functional usage capabilities.

Archive functions


*ARCGRP QIBM_Q1A_ARC_CTLG_BRM.ARCGRP The specific control group can be secured fromchanges

Archive policy QIBM_Q1A_ARC_PCY The policy can be secured from changes

Basic archive activities QIBM_Q1A_ARC Planning and performing archives can besecured

http://publib.boulder.ibm.com/infocenter/iseries/v7r1m0/topic/brms/ch11.htm#ch11

http://publib.boulder.ibm.com/infocenter/iseries/v7r1m0/topic/brms/ch11.htm#ch11



Backup functions


*BKUGRP QIBM_Q1A_BKU_CTLG_BRM.BKUGRP The specific control group can be secured fromchanges.

*SYSGRP QIBM_Q1A_BKU_CTLG_BRM.SYSGRP The specific control group can be secured fromchanges

*SYSTEM QIBM_Q1A_BKU_CTLG_BRM.SYSTEM The specific control group can be secured fromchanges

QALLSPLF QIBM_Q1A_BKU_LIST_QALLSPLF The specific list can be secured from changes

QALLUSRLNK QIBM_Q1A_BKU_LIST_QALLUSRLNK The specific list can be secured from changes

QIBMLINK QIBM_Q1A_BKU_LIST_QIBMLINK The specific list can be secured from changes

QLNKOMT QIBM_Q1A_BKU_LIST_QLNKOMT The specific list can be secured from changes

Backup policy QIBM_Q1A_BKU_PCY The policy can be secured from changes

Basic backup activities QIBM_Q1A_BKU Planning and performing backups can besecured



Media functions


Advanced media activities QIBM_Q1A_MED_ADV Advanced media activities can be secured

Basic media activities QIBM_Q1A_MED Basic media activities can be secured

FMTOPTUDF QIBM_Q1A_MED_CLS_FMTOPTUDF A specific media class can be secured

QIC2GB QIBM_Q1A_MED_CLS_QIC2GB A specific media class can be secured

SAVSYS QIBM_Q1A_MED_CLS_SAVSYS A specific media class can be secured

Media information QIBM_Q1A_MED_INF Media history information can be secured

ARCHIVAL QIBM_Q1A_MED_PCY_ARCHIVAL A specific policy can be secured from changes

FMTOPTUDF QIBM_Q1A_MED_PCY_FMTOPTUDF A specific policy can be secured from changes

FULL QIBM_Q1A_MED_PCY_FULL A specific policy can be secured from changes

INCR QIBM_Q1A_MED_PCY_INCR A specific policy can be secured from changes

SAVF QIBM_Q1A_MED_PCY_SAVF A specific policy can be secured from changes

SAVSYS QIBM_Q1A_MED_PCY_SAVSYS A specific policy can be secured from changes

SYSTEM QIBM_Q1A_MED_PCY_SYSTEM A specific policy can be secured from changes



Migration functions


Basic migration activities QIBM_Q1A_MGR Planning and performing migration can besecured

*MGRGRP QIBM_Q1A_MGR_CTLG_BRM.MGRGRP The specific control group can be secured fromchanges

Migration information QIBM_Q1A_MGR_INF Migration history information can be secured

Migration policy QIBM_Q1A_MGR_PCY The policy can be secured from changes

Movement functions


Basic movement activities QIBM_Q1A_MOV Movement, locations, and move policies canbe secured

OFFSITE QIBM_Q1A_MOV_PCY_OFFSITE A specific policy can be secured from changes

Move verification QIBM_Q1A_MOV_VFY The ability to verify movement can be secured

Recovery functions


Basic recovery activities QIBM_Q1A_RCY Planning and performing recoveries can besecured

Recovery policy QIBM_Q1A_RCY_PCY The policy can be secured from changes



Retrieve functions


Basic retrieval activities QIBM_Q1A_RTV Retrieval controls and policies can be secured

Retrieve policy QIBM_Q1A_RTV_PCY The policy can be secured from changes

System related functions


Auxiliary Storage Pools (ASP) QIBM_Q1A_SYS_ASP Basic BRMS ASP related activities can besecured

Basic activities QIBM_Q1A_SYS Basic BRMS system-level activities can besecured

Devices QIBM_Q1A_SYS_DEV Basic BRMS device-related activities can besecured

Initialize BRM QIBM_Q1A_INZBRM The INZBRM command can be secured

Maintenance QIBM_Q1A_SYS_MNT The maintenance function can be secured

System policy QIBM_Q1A_SYS_PCY The policy can be secured from changes

Function usage for i Navigator tasks

And finally, this last set of IDs are for controlling functions for System i Navigator, IBM i Navigator,and IBM iSeries® Access functions. These functions are found on the System i Navigator tabwithin the Application Administration task.

Note that the XD1 function ID names and descriptions might imply the Windows client (OperationsNavigator, iSeries Navigator, or System i Navigator, whichever name you prefer), but these alsoapply to Navigator for i, which is the browser-based administration interface.

Using these function IDs, you can control which users have access to which features within thegraphical administrative interface. And because these are function usage IDs, you can controlthis from the host side and do not need to do a customized installation of the client (for System iNavigator).



Most of these function IDs are self-explanatory.

Basic operations functions


Messages QIBM_XD1_OPNAV_MESSAGES Provides support to work with messages

Printer Output QIBM_XD1_OPNAV_PRINTOUT Provides support to work with printer output

Printers QIBM_XD1_OPNAV_PRINTERS Provides support to manage printers

Jobs QIBM_XD1_OPNAV_JOBMGMT Provides support to work with jobs

Work management functions




Active Jobs QIBM_XE1_OPNAV_ACTJOB Provides support to work with active jobs

Server Jobs QIBM_XE1_OPNAV_SRVJOB Provides support to work with server jobs

Job Queues QIBM_XE1_OPNAV_JOBQUE Provides support to work with job queues

Output Queues QIBM_XE1_OPNAV_OUTQUES Provides support to work with output queues

Subsystems QIBM_XE1_OPNAV_SUBSYS Provides support to work with subsystems

Memory Pools QIBM_XE1_OPNAV_MEMPOOL Provides support to work with memory pools

Configuration and service functions


System Values and Time Management QIBM_XE1_OPNAV_SYSVAL Provides support to work with system values

History Log QIBM_XE1_OPNAV_HISTLOG Provides support to display the history log

Hardware QIBM_XD1_OPNAV_HARDINV Displays the hardware on the server

Software QIBM_XD1_OPNAV_SOFTINV Displays the software for the server

Network functions




Internet QIBM_XD1_OPNAV_INTERNET Provides access to the Internet applications

IP Policies QIBM_XD1_OPNAV_IPSECURITY Provides support to configure TCP/IP security

IBM Network Stations (Pre-V5R3M0 clientsonly)

QIBM_XD1_OPNAV_NETSTAT Provides access to the IBM Network Stationapplication

TCP/IP Configuration QIBM_XD1_OPNAV_PROTOCOL Provides support to set up and manage TCP/IPcommunications

Remote Access Services QIBM_XD1_OPNAV_PTTOPT Provides support to manage point-to-pointcommunications for the server

Servers QIBM_XD1_OPNAV_SERVERS Provides support to set up and monitor networkservers

Enterprise Identity Mapping QIBM_XE1_OPNAV_EIM Provides support to set up Enterprise IdentityMapping (EIP) and participate in an EIMdomain

Application Development QIBM_XD1_OPNAV_APPDEV Provides support to work with serverapplication development tools

Backup QIBM_XD1_OPNAV_BACKUP Provides support to schedule backups ofserver data

Multimedia (Pre-V5R1M0 clients only) QIBM_XD1_OPNAV_MULTIMEDIA Provides support to store and share multimediadata on the server

Users and Groups QIBM_XD1_OPNAV_USRGRP Provides support to manage IBM i users anduser groups

AFP Manager QIBM_XE1_OPNAV_AFPMGR Provides support to manage AdvancedFunction Presentation (AFP) resources, PrintServices Facility (PSF) configurations, and fonttables

Application Administration QIBM_XE1_OPNAV_APPADMIN Provides support to display the functions orapplications available to users on this server.Be careful with this one! If you restrictyour user profile from using ApplicationAdministration, you will lose ApplicationAdministration capabilities on the GUI!

Integrated Server Administration QIBM_XE1_OPNAV_WINADM Provides support to manage integrated servers

Schemas QIBM_XD1_OPNAV_DBLIBS Provides support to work with DB2 UDBobjects

ODBC Data Sources (Pre-V5R1M0 clientsonly)

QIBM_XD1_OPNAV_DBODBC Provides support to set up ODBC data sourceson the server

Database Navigator Maps QIBM_XE1_OPNAV_DBNAV Provides support for viewing a map of adatabase

SQL Plan Cache Snapshots QIBM_XE1_OPNAV_DBSQLPCS Provides support to access the system plancache and create snapshots of the plan cache

SQL Performance Monitors QIBM_XE1_OPNAV_DBSQLPM Provides support to monitor server SQLperformance

Transactions QIBM_XE1_OPNAV_DBXACT Provides support to work with transactions onthe server

File Shares QIBM_XE1_OPNAV_FSNETSRV Provides support to work with shared files setup with IBM i NetServer

Authorization Lists QIBM_XD1_OPNAV_AUTHLIST Provides support to create and maintainauthorization lists



Cryptographic Services Key Management QIBM_XD1_OPNAV_CRYPTO Manage cryptographic master keys and keystores

Policies QIBM_XD1_OPNAV_SECPOLICY Provides support to maintain security policies

Intrusion Detection QIBM_XE1_OPNAV_IDS Provides support to configure, manage, andmonitor intrusion detection on the system

Network Authentication Service QIBM_XE1_OPNAV_NETAS Provides support to set up Kerberos

QDLS QIBM_XD1_OPNAV_FSQDLS Provides support to work with files in the QDLSintegrated file system

QFileSvr.400 QIBM_XD1_OPNAV_FSQFILESVR Provides support to work with files in theQFileSvr.400 integrated file system

QLANSrv QIBM_XD1_OPNAV_FSQLANSRV Provides support to work with files in theQLANSrv integrated file system

QNetWare QIBM_XD1_OPNAV_FSQNETWARE Provides support to work with files in theQNetWare integrated file system

QNTC QIBM_XD1_OPNAV_FSQNTC Provides support to work with files in the QNTCintegrated file system

QOpenSys QIBM_XD1_OPNAV_FSQOPENSYS Provides support to work with files in theQOpenSys integrated file system

QOPT QIBM_XD1_OPNAV_FSQOPT Provides support to work with files in the QOPTintegrated file system

QSYS.LIB QIBM_XD1_OPNAV_FSQSYSLIB Provides support to work with files in theQSYS.LIB integrated file system

Root QIBM_XD1_OPNAV_FSROOT Provides support to work with files in the Rootintegrated file system

.NET Data Provider QIBM_XE1_DOT_NET Provides access to DB2 UDB for iSeriesdatabases for .NET development

ODBC Support QIBM_XE1_ODBC Provides access to server data using theODBC driver

OLE DB Provider QIBM_XE1_OLEDB Provides access to server tables, data queues,programs, and commands

Remote Command - Command Line QIBM_XE1_RMTCMD Provides support to run commands on a serverfrom the Windows command line

5250 Display and Printer Emulator QIBM_XE1_5250 Provides support for PC clients to work with theserver using a 5250 emulator

ActiveX Automation Downloads QIBM_XE1_DDWNLD_AO Provides support to download server datausing ActiveX Automation Objects

Autostart Downloads QIBM_XE1_DDWNLD_AUTO Provides support to download server datausing auto-start and auto-close

Excel Add-in Downloads QIBM_XE1_DDWNLD_EXCEL Provides support to download server datausing the Data Transfer Excel Add-in

GUI Downloads QIBM_XE1_DDWNLD_GUI Provides support to download server datausing the Data Transfer user interface

Use of RTOPCB QIBM_XE1_DDWNLD_RTOPCB Provides support to download server datausing the Data Transfer command-lineinterface

ActiveX Automation Uploads QIBM_XE1_DUPLD_AO Provides support to upload data using ActiveXautomation objects

Appending or Replacing Host Files QIBM_XE1_DUPLD_APPREP Provides support to append to server files orreplace server file members



Autostart Uploads QIBM_XE1_DUPLD_AUTO Provides support to upload data using auto-start and auto-close

Excel Add-in Uploads QIBM_XE1_DUPLD_EXCEL Provides support to upload server data usingthe Data Transfer Excel Add-in

GUI Uploads QIBM_XE1_DUPLD_GUI Provides support to upload data using the DataTransfer user interface

Use of RFROMPCB QIBM_XE1_DUPLD_RFROMPCB Provides support to upload data using the DataTransfer command-line interface

File Creation Based on Existing Server Files QIBM_XE1_DUPLD_CRTF_BASED Provides support to create server databasefiles based on existing server files

File Creation Based on PC File or ExcelSpreadsheet

QIBM_XE1_DUPLD_WIZ_CRTF Provides support to create server databasefiles based on a PC file or Microsoft® Excelspreadsheet

Resources

The following references provide additional information on function usage:

• Granular security control with function usage article on developerWorks.• Operations Navigator V5R1 Volume 1: Overview and More has a good chapter on Application

Administration. Note that the IBM Redbooks documentation is based upon the OperationsNavigator client, but the capabilities are the same, even in the browser (IBM i Navigator)added in 6.1.

• Functional Usage Capabilities blog.• Functional Usage Capabilities, Part 2 blog.• New Function Usage IDs blog.• Add QIBM_DB_ZDA and QIBM_DB_DDMDRDA function usage IDs article on

developerWorks.• Improved Security Controls Open Door to DB2 for i Tool Usage

http://www.ibm.com/developerworks/ibmi/library/i-granular-security/

http://www.redbooks.ibm.com/abstracts/sg246226.html

http://ibmsystemsmag.blogs.com/i_can/2012/08/functional-usage-capabilities-.html

http://ibmsystemsmag.blogs.com/i_can/2012/08/functional-usage-capabilities-part-2-.html

http://ibmsystemsmag.blogs.com/i_can/2013/01/new-function-usage-ids.html

https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20i%20Technology%20Updates/page/Add%20QIBM_DB_ZDA%20and%20QIBM_DB_DDMDRDA%20function%20usage%20IDs

http://www-03.ibm.com/systems/resources/systems_i_db2_navigator_security_controls.pdf



About the author

Dawn M. May

Dawn May is a senior technical staff member for IBM at Rochester, Minnesota.Dawn's current position is the liaison to the IBM i Large User Group and a consultanton the IBM Systems Director team. Prior to this, she was the technical lead andperformance consultant for the Performance and Scalability Services Center inRochester where she worked with IBM i clients to plan and run performance and proofof concept tests. Dawn has extensive experience as part of the IBM i developmentteam in various components of the operating system.

© Copyright IBM Corporation 2013(www.ibm.com/legal/copytrade.shtml)Trademarks(www.ibm.com/developerworks/ibm/trademarks/)

http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/developerworks/ibm/trademarks/

reference information on the function usage ids … of service functions, the function usage ids...

Documents