Authority collection captures data that is associated with the runtime authority checking that is built into the IBM i system. This data is logged to a repository, and interfaces are available to display and analyze the data. A security administrator or application provider can analyze the captured data to determine the minimum authority that is required to the objects to allow the application to run successfully. Setting the minimum authority on the objects improves the security of the objects and provides for better protection from access outside of the application.
The enhanced IBM i 7.4 authority collection support allows the collection of authority information for specific objects when accessed by any user. The IBM i 7.3 support collects authority information for all objects accessed by a specific user.
- Change Authority Collection (CHGAUTCOL)
- Start Authority Collection (STRAUTCOL)
- End Authority Collection (ENDAUTCOL)
- Delete Authority Collection (DLTAUTCOL)
- Display Security Attributes (DSPSECA) command and Retrieve Security Attributes (QSYRTVSA) API show the authority collection for objects active indicator.
- Interfaces that show object attributes now include the authority collection value for the object.
The authority collection value for an object can be set with the new Change Authority Collection (CHGAUTCOL) command. When authority collection for objects is started using the enhanced Start Authority Collection (STRAUTCOL) command, authority information is collected for the specific objects that have an authority collection value set. Authority information is collected for these objects when accessed by any user and is written to the authority collection repository for objects.
New SQL views have been added to display and analyze the authority collection data for objects:
- QSYS2.AUTHORITY_COLLECTION_OBJECT view - for QSYS objects; use this when the number of entries in the authority collection is large and you are looking for a specific object or objects in a specific library.
- QSYS2.AUTHORITY_COLLECTION_LIBRARIES view - for QSYS objects; use this when the number of entries in the authority collection is small or you are looking for all, or most, objects in the authority collection.
- QSYS2.AUTHORITY_COLLECTION_FSOBJ view - for file system objects in the "root" (/), QOpenSys, and user-defined file systems.
- QSYS2.AUTHORITY_COLLECTION_DLO view - for document and folder objects.
For complete details on the enhanced authority collection support, see the Authority Collection section of the Security reference topic in the IBM i Knowledge Center.
09 January 2020