*SERVICE special authority
Service (*SERVICE) special authority allows the user to start system service tools using the STRSST command. This special authority allows the user to debug a program with only *USE authority to the program and perform the display and alter service functions. It also allows the user to perform trace functions.
The dump function can be performed without *SERVICE authority.
Risks: A user with *SERVICE special authority can display and change confidential information using service functions. The user must have *ALLOBJ special authority to change the information using service functions.
To minimize the risk for trace commands, users can be given authorization to perform service tracing without the *SERVICE special authority. In this way, only specific users have the ability to perform a trace command, which can grant them access to sensitive data. The user must be authorized to the command and have either *SERVICE special authority, or be authorized to the Service Trace function of IBM® i through Application Administration in IBM Navigator for i. The Change Function Usage (CHGFCNUSG) command, with the function ID of QIBM_SERVICE_TRACE, can also be used to change the list of users that are allowed to perform trace operations.
STRCMNTRC | Start Communications Trace |
ENDCMNTRC | End Communications Trace |
PRTCMNTRC | Print Communications Trace |
DLTCMNTRC | Delete Communications Trace |
CHKCMNTRC | Check Communications Trace |
TRCCNN | Trace Connection (see Granting access to traces) |
TRCINT | Trace Internal |
STRTRC | Start Job Trace |
ENDTRC | End Job Trace |
PRTTRC | Print Job Trace |
DLTTRC | Delete Job Trace |
TRCTCPAPP | Trace TCP/IP Application |
WRKTRC | Work with Traces |