News
Abstract
The Navigator interface provides a convenient graphical approach to access, monitor, and manage many aspects of the IBM i operating system. Each user must provide valid authorization credentials for every endpoint node accessed. This section reviews the various options for user profile usage and prompting.
If you do not want everybody with an IBM i profile to have access to Navigator, this page will point you to how to use Function Usage ID to limit access IBM Navigator for i to certain users.
Content
You are in: IBM i Technology Updates > Navigator for i > Serviceability > Connection Properties > Authentication > Access Authorization Options
- Serviceability > Connection Properties topics:
- GUI Preferences
- TLS Override
- Localhost Override - Navigator for i in Cloud environment
- Authentication: Access Authorization
- GUI Preferences
- Function Usage IDs page (Security). This will explain how to use Function Usage IDs to prevent users from accessing any or specific Navigator components.
Access Authorization
The Navigator interface provides a user-friendly graphical approach to access, monitor, and manage many aspects of the IBM i operating system. Each user must provide valid authorization credentials for every endpoint node accessed.
System administrators can manage which functions and attributes are seen and modifiable by each user through 'normal' IBM i authority and access methods. When a user signs in to the Navigator interface, they are running under the access & authorization credentials for that user profile. If a user can't access something from a green screen, there is also no access allow in the Navigator.
Since Navigator is a client interface, it can allow access to other endpoint nodes as well as the IBM i that the Navigator is running on. Authorization credentials are required for each end-point node.
There are three methods that the user and password for the end-point node can be obtained for authentication:
- Use the same user profile and password as was used when you sign in to the GUI node (default)
- Prompt for user and password on first access of an end-point node
- Save the specified user and password in an encrypted file on the GUI node and use the values saved in that file for future end-point IBM i nodes. This file is encrypted and is only accessible by the signed on user, but this method is still less secure and therefore not recommended.
Access authorization method details - Hover over the serviceability tab and click the "Connection Properties" menu action.
From the Connection Properties page, select the "Authentication" tab on the left.
Select an option and click "Save". A change often requires you to sign back in for this browser session.
Details on each option:
- Use GUI login information to connect to all nodes on the dashboard (default) - The user is prompted for their IBM i user profile and password on the main Navigator sign-in page. The credentials are used to establish access to any endpoint already on the dashboard OR add an endpoint that the user wants to access, monitor, and manage. This user and password is not saved anywhere other than the application runtime. In order for a user to access an endpoint system, they must have the exact same user profile name and password on that endpoint. Note that the functions and access for a user profile on any endpoint can vary since the credentials for that user on that endpoint are used to determine access and function availability for managing the system.
- Prompt for login information every time a connection to a node is made. Each endpoint node defined on the dashboard remains in a 'locked' access state until the user takes an action to access or manage that endpoint. For example, once a user double-clicks a dashboard tile to manage that endpoint, they are prompted for a user profile and password for that specific endpoint system. The Navigator interface uses those specified user credentials only for that endpoint. The Navigator interface continues to use the specified user profile and password only during this browser session.
- Prompt for login information and store it for future use. This option is not recommended in secure environments. The user is prompted once for the user and password for the endpoint node. The Navigator interface then saves that user profile and password information only on the GUI node in an encrypted file for future use. Only the GUI-node user profile has access to this file and can decrypt the user profile and password for the registered end-point nodes. To update the password on an end-point node, the user needs to right-click the tile on the dashboard. Click the "Edit Node Information" page to update the user and password values saved in the file.
Serviceability
The Serviceability section is denied for default access. Only user profiles with *ALLOBJ special authority are able to see this section by default. Normal user profiles need to be added to the QIBM_NAV_SERVICEABILITY function ID.
This authority is required to view Navigator Log files.
CHGFCNUSG FCNID(QIBM_NAV_SERVICEABILITY) USER(<userprofile>) USAGE(*ALLOWED)
See Function Usage IDs.
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
09 April 2025
UID
ibm16483569