This week’s installment of APIs by Example will turn the spotlight on a relatively new iSeries security concept called User Function Registration. User Functions were introduced with release V4R3 and offer a method to implement application-level security, which lets you specify the user profiles that should be allowed to access specific functions or interfaces within your application. This article describes the elements of the User Function Registration facility and also includes two new commands to help you maintain User Functions.
Application-level security in this context means that your application includes a call to the Check User Function Usage API to determine if the current user profile is allowed to access the specific function you want to protect. Contrary to general iSeries resource security, which is built into the operating system and is in effect regardless of the interface you are accessing a resource through, application security leaves it up to you to ensure that resources are not accessed through other available interfaces or applications. In other words, resources that are protected by application-level security are only secured as long as they are accessed through that specific application.
Let’s say you have a customer maintenance application and you use the Function Registration to enforce which users are allowed to display customer information and which users are allowed to update customer information. This authorization scheme will work fine as long as the users are accessing the customer information by means of that customer maintenance application. But it offers no protection against users accessing the customer data through other available interfaces and applications if these do not also perform a check against that specific Function Registration.
A User Function does however offer great flexibility when it comes to function access administration. When you register or change the User Function, you can specify whether *ALLOBJ special authority should be ignored when performing the function usage check. This allows you to –- within the limits mentioned above -– actually deny security officer user profiles access to specific functions and data.
You can also specify whether the User Function default usage is to allow access or to deny access. In the first case, if most users should be allowed access, you then only register the user profiles that should be denied access. In the latter, if the majority of users should be denied access, you only register the users that should be allowed access.
As an example of User Functions deployment in the real world, the iSeries operating system utilizes User Functions to allow user profiles without *ALLOBJ special authority to look at the joblogs of user profiles that have *ALLOBJ special authority. Normally *JOBCTL special authority is required to look at another user’s job log, and *ALLOBJ special authority is required to look at the job log of a user that has *ALLOBJ authority. The latter requirement can be bypassed if the user profile running the DSPJOBLOG command is registered with the QIBM_ACCESS_ALLOBJ_JOBLOG function ID.
In the above event, IBM added a check against the mentioned User Function if insufficient authority was found by the DSPJOBLOG command processing program when trying to access a job having *ALLOBJ special authority. Then if function usage access is found, access to the DSPJOBLOG function is granted. For example, it lets you give operations staff members access to privileged users’ joblogs without having to grant them *ALLOBJ special authority. This is of course only one example of how to put application-level security and User Functions to work.
This week I will show you how to both register and deregister a User Function by means of two new commands that I have created for this article: The Add Function Registration (ADDFCNREG) and the RMVFCNREG (Remove Function Registration) commands. These commands also offer a starting point for those who want to create their own interfaces to the User Function Registration APIs that are the engine of the two commands.