IBM Support

Performance Data Investigator - Authority Requirements

News


Abstract

Authority requirements for using Performance Data Investigator and other Performance tools on the web in IBM Navigator for i

Content

Authority Topics:

Authority to create aliases
User wanting to view graphs in Performance Data Investigator must be able to create/replace aliases.  This requires *USE authority to CRTDDMF:
  • GRTOBJAUT OBJ(CRTDDMF) OBJTYPE(*ALL) USER(<userprofile>);
Additionally authority to QIBM_DB_SECADM and QIBM_DB_SQLADM may be required to run the SQL required:
  • CHGFCNUSG FCNID(QIBM_DB_SECADM) USER(<userprofile>) USAGE(*ALLOWED);
  • CHGFCNUSG FCNID(QIBM_DB_SQLADM) USER(<userprofile>) USAGE(*ALLOWED);
Authority to the database files and members used in Performance Data Investigator is required to use PDI

If a userid does not have *ALLOBJ authority (for example, User Class *SECOFR authority with *ALLOBJ removed), it needs to be added to these two authorization lists:

  1. QPMCCDATA
  2. QPMCCFCN

Authority in the Monitor authorization list for System Monitors is required for all users to access System Monitors

If a userid does not have *ALLOBJ authority (for example, User Class *SECOFR authority with *ALLOBJ removed), add the profile to the monitor authorization list:  QNAVMNTR.

To view the data resulting from monitors, a user will also require access to the PDI-specific authorization lists.

For more detail, see: Authority for System Monitors

PDI authority information for user profile

For correct access needed to run PDI or Performance task in the IBM Navigator for i GUI, add a user profile to the authorization lists specific to PDI and the data generated by Collection Services: QPMCCFCN, QPMCCDATA.  If a user profile does not have all object authority, add the profile to the authorization lists. 

Adding a user profile to an authorization list can be done with the IBM Navigator for i GUI interface or through the green screen command line.

New Navigator Function Usage IDs

To access function within the IBM Navigator for i, a user is required to be allowed access through function usage IDs. 

  • QIBM_NAV_PDI is for Performance function
  • QIBM_NAV_MONITORS is for Monitor function

See Function Usage IDs for more information.

Update Authorization List - Navigator for i:

Figure 1: Open Authorization Lists under Security

Authorization Lists

Figure 2: Filter for QPMC to see the two lists

Figure 3:  For one of the two authorization lists, select Actions-> Permissions to view and edit the list.

< future availability>

Figure 4: Select Add button to put in a new user profile.

< future availability>

Figure 5: Under Specify type in user profile, or select from list.

< future availability>

Figure 6: Select Ok or Apply to complete add

Update Authorization list - Green Screen Commands:

Use the EDTAUTL command on the i:

  1. EDTAUTL AUTL(<authorization list>)  
  2. Click F6 for Add new user
  3. <usrprf> *ALL

> ADDAUTLE AUTL(QPMCCDATA) USER(<usrprf>) AUT(*ALL)
> ADDAUTLE AUTL(QPMCCFCN) USER(<usrprf>) AUT(*ALL)

> ADDAUTLE autle(QNAVMNTR) user(<usrprf>) AUT(*ALL) [use QINAVMNTR for heritage Navigator]

Note:  The authorization lists allow access to the database files and CS commands like CFGPFRCOL and CRTPFRDTA.  

*MGTCOL objects are *EXCLUDE for public but there is a special user profile that is shipped with the OS named QCOLSRV that can access the *MGTCOLs as well as the database files and CS commands.  Any other user would need *ALLOBJ authority to gain access to the *MGTCOLs.


 

Job Watcher and Disk Watcher

Use Job Watcher and Disk Watcher performance on the web interfaces to create definitions and start and stop JW & DW. 

To use Job Watcher and Disk Watcher commands

  • Requires service (*SERVICE) special authority, or be authorized to the Job Watcher or Disk Watcher function of the operating system.
    • Two options:

      1- Change User Profile to add *SERVICE authority to create Job Watcher & Disk Watcher Definitions or to Start Job Watcher and Disk Watcher.

      2- Change Function Usage (CHGFCNUSG) command, with a function ID of QIBM_SERVICE_JOB_WATCHER or QIBM_SERVICE_DISK_WATCHER, can be used to change the list of users that are allowed to use this command.

      CHGFCNUSG FCNID(QIBM_SERVICE_JOB_WATCHER) USER(<usrprofile>) USAGE(*ALLOWED)

      CHGFCNUSG FCNID(QIBM_SERVICE_DISK_WATCHER) USER(<usrprofile>) USAGE(*ALLOWED)

      To read more on Function Usage IDs, see this article: IBM Navigator for i function usage IDs

  • Requires execute (*EXECUTE) authority to the library specified in the Library parameter (default QPFRDATA).
  • Requires authority to see the definitions for JW & DW shipped public *EXCLUDE:
    • To see the definitions shipped in Disk Watcher, users require authority to QAPYDWDFN file in QSYS 
    • To see the definitions shipped in Job Watcher, users require authority to the QAPYJWDFN file in QSYS (OR QUSRSYS)

Collection Services - Configure & Cycle requires *JOBCTL authority

CS requires user profile to have *JOBCTL special authority to Cycle Collection Services and Configure Collection services.


Performance Explorer (PEX)

PDI has perspectives to view PEX TPROF data.

To use PEX you must have *SERVICE special authority, or be authorized to the Service Trace function of the operating system.

Change Function Usage (CHGFCNUSG) command, with a function ID of QIBM_SERVICE_TRACE, can be used to change the list of users that are allowed to perform trace operations.

CHGFCNUSG FCNID(QIBM_SERVICE_TRACE) USER(<usrprofile>) USAGE(*ALLOWED)

The PEX commands are shipped with public *EXCLUDE authority.

The following user profiles have private authorities to use the command:  QPGMR, QSRV

 

Authority Problems and Troubleshooting

1) No collections:  The following are all symptoms of an authority issue to the collection or executing SQL to access the collections list:

  • Empty collections list or library drop-down
  • The manage collections list is empty
  • The launch to a chart does not happen when a perspective and collection are selected

Check the following after completing the authorization steps listed: 

  • Verify that you can see the entries in the table, RunSQLScripts (from Access Client Solutions - ACS): > SELECT * FROM QUSRSYS.QAPMCCCNTB
  •  Is there an exit point registered that blocks the connection to the as400 toolbox?  Use command WRKREGINF to find out.
  • If an exit program to restrict the running of SQL for user profiles is set up, it prevents PDI from running.  Users who use PDI must have ability to run SQL to access the collections.
  • Check with WRKREGINF to get a list of the registered exit points.  The registered exit points may not specifically stop the query from STRSQL, but it could block the SQL from coming through the port.  To verify that you have access to the required table, enter the following in RunSQLScripts: SELECT * FROM QUSRSYS.QAPMCCCNTB
    • Exit programs defined for these exit points can affect PDI or monitors:  
      • QIBM_QZDA_INIT
      • QIBM_QZRC_RMT
      • QIBM_QZHQ_DATA_QUEUE
  • Try different user profiles:  QSECOFR, QPGMR, to see whether they work.  If they do, but your profile does not, it could be affecting user profile created since a registered exit point was added.  The exit point can disable the SQL function for network security measures on IDs created after that time but might not affect all (created earlier).

2) No perspectives: If you cannot see any perspectives on the left navigation or when you select Investigate Data, it is most likely an authority issue for the PML directory where the perspectives are defined.  After you complete the authorization steps listed, check these items:

  • Make sure all IBM i Access servers are running Network -> Servers -> IBM i Access Servers
  • Is Collection Services running on the system?  Are there active or stopped collections in QMPGDATA?  Have the customer show the drop-down for the Collection Library and Collection Name on the Investigate Data panel.
  • Run areVerify on the system being targeted
    The following command network health checker (ARE) covers the FQDN and DNS availability checks:
        /QIBM/ProdData/OS/OSGi/templates/bin/areVerify.sh -network
    Specifically, look for the interface defined for the loopback.
  • Check for bad DNS and other performance improvements:  Improving IBM Navigator for i Performance
    • Note that much of this is outdated, since it was originally written for the heritage Navigator.
3) Cannot select a perspective: If a valid collection is selected but selecting a perspective does not display a chart, check the following:
  • The charts can only be launched when a perspective is selected and a valid collection for that perspective is also selected.  It requires two choices. Verify that both selections are valid. 
  • If there are no collections being shown in the drop-down menu, check that collections are shown the Management Collections table.  If any expected collections are missing, Rebuild Collections Table.  The collections table gets out of syn when commands other than those supplied by Collection Services are used to move, restore, or copy collections.  For best results, use the *PFRCOL commands.
  • Verify user profile authority as listed first on this page.
  • The selected perspective must be valid for the collection selected:  Verify that the members exist for that collection in each of the required files.  Start with: "CPU Utilization & Waits Overview" requires QAPMISUM & QAPMSYSTEM.  The Perspective link is active if those files exist for the collection selected.
  • Check whether anything in Collection Services Database Files can be viewed.  Start with QAPMSYSTEM.
  • Possibly out of sync data.  Log out of IBM Navigator for i and log back in.
For ability to run SQL, includes create alias:

https://www.ibm.com/docs/en/i/7.3?topic=statements-create-alias

The privileges held by the authorization ID of the statement must include at least one of the following:


The privileges held by the authorization ID of the statement must include at least one of the following:

  • The following system authorities:
    • *USE to the Create DDM File (CRTDDMF) command
    • Database administrator authority

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;and future releases"}]

Document Information

Modified date:
13 September 2023

UID

ibm16485639