IBM Support

Authority Collection for Objects - Getting Started

How To


Summary

Authority collection is a capability that is provided as part of the base operating system. At a high level, authority collection captures data that is associated with the runtime authority checking that is built into the IBM i system. This data is logged to a repository provided by the system and interfaces are available to display and analyze the data.

Objective

The intent of this support is to assist the security administrator and application provider in securing the objects in an application with the lowest level of authority that is required to allow the application to run successfully. By using the authority collection capability to remove or avoid excess authority, the overall security of the objects that are used by an application is improved.

Environment

IBM i OS Versions 7.4 and above.

Steps

Start Authority Collection for Objects

Authority collection is started on a specific object(s) based on a user. Authority collection can be active for multiple objects at the same time. 

At the command line, use the following command to get Authority Collection for Objects started:
  
STRAUTCOL TYPE(*OBJAUTCOL)

Note: You must have *ALLOBJ special authority or be authorized to the Database Security Administrator function of IBM i (QIBM_DB_SECADM) to use these commands.
You can verified if it is started by issuing the command DSPSECA to display the Authority collection for objects active value:
image-20250214094641-1
Once started on the System, you now need to start Authority Collection on the object(s). 
CHGAUTCOL OBJ('/QSYS.LIB/V6CASTIL.LIB/CREDITCARD.FILE') AUTCOLVAL(*OBJINF)
NOTE: The command specifies the name of the object using the IFS path selection criteria. On the previous command, Authority collection for the file CREDITCARD in library V6CASTIL was started.
You can verify that Authority Collection was started for the object with the DSPOBJD command:
image-20250214095431-2
Once enabled and authority collection data has been logged for the object(s), you can analyze it with the following commands:
Use the Run SQL Scripts tool, run the following SQL Statement:
SELECT AUTHORIZATION_NAME AS USER_NAME,
       COALESCE(PATH_NAME, SYSTEM_OBJECT_SCHEMA CONCAT '/' CONCAT SYSTEM_OBJECT_NAME) AS OBJECT,
       SYSTEM_OBJECT_TYPE AS OBJECT_TYPE,
       TIMESTAMP(CHECK_TIMESTAMP, 0) AS TIME,
       AUTHORITY_SOURCE,
       DETAILED_CURRENT_AUTHORITY,
       DETAILED_REQUIRED_AUTHORITY,
       SYSTEM_OBJECT_NAME,
       SYSTEM_OBJECT_SCHEMA,
       ASP_NAME,
       ASP_NUMBER,
       OBJECT_NAME,
       OBJECT_SCHEMA,
       AUTHORIZATION_LIST,
       REQUIRED_AUTHORITY,
       CURRENT_AUTHORITY
    FROM QSYS2.AUTHORITY_COLLECTION_LIBRARIES
image-20250214100847-3
The following SQL views are used to display and analyze the authority information that was collected for objects:
  • QSYS2.AUTHORITY_COLLECTION_OBJECT
  • QSYS2.AUTHORITY_COLLECTION_LIBRARIES
  • QSYS2.AUTHORITY_COLLECTION_FSOBJ
  • QSYS2.AUTHORITY_COLLECTION_DLO
In addition to using the SQL Views listed above, you can use Navigator for i to display the authority collection data.
image-20250214102954-1
image-20250214101640-5
To end Authority Collection on the Object, use the command:
CHGAUTCOL OBJ('/QSYS.LIB/V6CASTIL.LIB/CREDITCARD.FILE') AUTCOLVAL(*NONE)
To end Authority Collection for Objects at the System Level, use the command:
ENDAUTCOL TYPE(*OBJAUTCOL)
To Delete the Authority Collection data for the object, use the command:
DLTAUTCOL TYPE(*OBJ) OBJ('/QSYS.LIB/V6CASTIL.LIB/CREDITCARD.FILE')

More information on Authority Collection can be found:

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.0;7.5.0"}]

Document Information

Modified date:
14 February 2025

UID

ibm17183369

Page Feedback