Add QIBM_DB_ZDA and QIBM_DB_DDMDRDA function usage IDs

These function usage IDs block database server inbound connections and are not based on the communication protocol. The function usage IDs ship with default authority = *ALLOWED. The security officer can easily deny access to specific users or groups.

1. QIBM_DB_ZDA (restrict ODBC and JDBC Toolbox from the server side, including Run SQL Scripts, System i Navigator and DB2 specific portions of Systems Director Navigator for i)

2. QIBM_DB_DDMDRDA (ability to lock down DDM and DRDA application server access)
    

The new function usage IDs appear on the Work with Function Usage (WRKFCNUSG) command. The Change Function Usage ( CHGFCNUSG ) command can be used to configure the function usage ID security settings.

Example: (this shows how to "lock down" the ZDA or DDM/DRDA interfaces)

CHGFCNUSG FCNID(QIBM_DB_ZDA) USER(user1) USAGE(*DENIED)

CHGFCNUSG FCNID(QIBM_DB_DDMDRDA) USER(user1) USAGE(*DENIED)

Usage Notes:

The QIBM_DB_DDMDRDA and QIBM_DB_ZDA function usage IDs are shipped with default authority set to *ALLOWED.

The authorization checking for these IDs occurs prior to any user exit programs getting control. If the user fails the function usage authorization check, the user exit program will not be called.

Many applications and some IBM products rely upon QRWTSRVR and QZDASOINIT jobs. Disallowing access too broadly can cause these applications to fail in a manner that does not obviously point to function usage administration. Most clients will report this connection failure as connection was dropping when a user is denied access.

Users denied access with see a CPF9898 message at connect time for IBM i releases 6.1, 6.1.1, and 7.1 that will state that the function usage id QIBM_DB_ZDA is set to deny their user profile access. Users that already have a connection made before a system administrator sets their user profile to denied will continue to be able to use their existing connection and be revoked on future connects.

"QIBM_DB_ZDA FUNCTION USAGE IS DENIED FOR USER PROFILE XXXXXXXX"

A special case exists when user profiles appear under the function usage more than once. Since a user can belong to one or more group profiles, the function usage specification could refer to the user in multiple ways for a single function usage. First, if multiple group profiles, for which a user belongs to, are referenced under the function usage and the user profile is NOT referenced under the function usage, the user will be granted function usage if ANY of the group profiles listed have USAGE(*ALLOWED). If one group profile was configured with usage *DENIED while the other group profile has *ALLOWED, The user would be granted function usage. All a user needs is for one of their group profiles to have permission to use the function.

Second, if one or more group profiles, for which a user belongs to, are referenced under the function usage and the user profile IS explicitly referenced under the function usage, the explicit user reference will determine whether the user will be granted function usage. Again, a user belongs to two group profiles, GRPA and GRPB. If both groups were configured with usage *ALLOWED and the user profile was had function usage *DENIED, the user would not be granted function usage. Individual function usage references take precedence over group profile references.

Security audit records are written to the QSYS/QAUDJRN security audit journal when auditing is enabled and the auditing level is configured to record authorization failures. A GR-F audit record appears with *USAGEFAILURE will be sent if the function usage check fails.

For example:

CHGSYSVAL SYSVAL(QAUDCTL) VALUE('*AUDLVL')
CHGSYSVAL SYSVAL(QAUDLVL) VALUE('*AUTFAIL')
DSPJRN JRN(QSYS/QAUDJRN) FROMTIME('01/25/2012' 080000)

Display Journal Entries

Journal . . . . . . : QAUDJRN Library . . . . . . : QSYS
Largest sequence number on this screen . . . . . . : 00000000000000003036
Type options, press Enter.
5=Display entire entry


Opt Sequence Code Type Object Library Job Time
3035 T GR QZDASOINIT 8:24:29
3036 T GR QZDASOINIT 8:24:30
 

Figure 1. DSPJRN (Display Journal) command display


Lastly, these function usage IDs are shipped with the function usage configuration "*ALLOBJ special authority" set to *USER. This setting allows users with *ALLOBJ user special authority to use function as though they had been granted explicit function usage authority. If you do not want to allow this *ALLOBJ authorization, use the Change Function Usage (CHGFCNUSG) command to change the configuration to *NOTUSED.

For example:

CHGFCNUSG FCNID(QIBM_DB_ZDA) ALLOBJAUT(*NOTUSED)
and
CHGFCNUSG FCNID(QIBM_DB_DDMDRDA) ALLOBJAUT(*NOTUSED)