Application Administration Access Settings

Resolving The Problem

The following information, compiled from IBM i OS Knowledge Center, explains the Application Administration access settings, how access is actually determined, and when changes take effect.

Access Settings for a Function

Each administrable function that your server supports has several associated access settings. The access settings determine if a user is denied or allowed access to the function. The access settings are:

Default Access
Determines a user's access to a function when the user and its groups are not explicitly allowed or denied access to the function.

All Object Access
Indicates if a user or group with all object system privilege is allowed access to the function. If selected and the user or group has all object system privilege, this setting overrides all other access settings.

Customized Access
Indicates if users or groups are explicitly denied or allowed access to the function.


How Access to a Function Is Determined

Application Administration evaluates the access settings of a function to determine if a user is allowed or denied access to that function. All functions have a default and an all object access setting. Functions can also have customized access settings that allow or deny specific users and groups access to that function.

Following are the steps Application Administration takes to determine if a user can access a particular function:

1.	If All Object Access is selected for a function and the user has all object system privilege, the user is allowed access to the function. If not, continue to the next step.
2.	If the user is denied or allowed access by the Customized Access setting, the Customized Access setting determines the user's access to the function. If not, continue to the next step.
3.	If the user is a member of one or more groups, go to Step 4. If not, go to Step 7.
4.	If All Object Access is selected for a function and the group has all object system privilege, the user can access the function. If not, continue to the next step.
5.	If the user is in a group whose Customized Access setting is Allowed, the user is allowed access to the function. If not, continue with the next group at Step 4. After Application Administration processes each group, proceed to Step 6.
6.	If the user is in a group whose Customized Access setting is Denied, the user is denied access to the function. If not, continue to the next step.
7.	The Default Access setting determines the user's access to the function.

When Changes To Access Settings Take Effect

Application Administration settings are stored on the IBM i OS and are accessed differently depending on the client application being used. IBM i Access for Windows and IBM i Access Client Solutions are downloaded and cached locally on each PC.

Any updates to user restrictions in Application Administration for Access for Windows functions are detected by the PC when a 'true' signon is made. If the iSeries Access connection is configured to use a default user ID or the Microsoft Windows logon, password credentials may be cached for up to 24 hours. A true signon is made only when the credentials expire or when the PC is rebooted. Reconfiguring the connection to prompt every time or signing on an iSeries Navigator session will also force a true signon.

IBM i Access Client Solutions checks for new Application Administration settings much more frequently, normally when a requested function connects.

The web based IBM Navigator for i also checks for new Application Administration settings much more frequently, normally when you connect to and sign onto the interface within your web browser.



References:

IBM i OS Knowledge Center at
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzaj3/rzaj3overview.htm