Question & Answer
Question
Authority Collection - Getting Started with sample commands.
Answer
Authority Collection
Authority collection is a capability that is provided as part of the base operating system. At a high level, authority collection captures data that is associated with the runtime authority checking that is built into the IBM i system. This data is logged to a repository provided by the system and interfaces are available to display and analyze the data. The intent of this support is to assist the security administrator and application provider in securing the objects in an application with the lowest level of authority that is required to allow the application to run successfully. By using the authority collection capability to remove or avoid excess authority, the overall security of the objects that are used by an application is improved.
Start authority collection
Authority collection is based on a user. Authority collection can be active for multiple users at the same time and an authority collection repository exists for each user.
At the command line, use the following command to get Authority Collection started:
STRAUTCOL USRPRF(HUGO) LIBINF((V6CASTIL)) OBJ(PAYROLL) OBJTYPE(*FILE)
Note: You must have *ALLOBJ special authority or be authorized to the Database Security Administrator function of IBM i (QIBM_DB_SECADM) to use these commands.

Note: This command stats collecting authority information for a user profile HUGO in a library V6CASTIL for a file named PAYROLL.
Once that Authority collection has been started for a user, we now need to run the application or process that allows the user to access the Payroll file.
Ending authority collection
To stop collecting authority information for a user, use the following command:
ENDAUTCOL USRPRF(HUGO)

Note: This command will end all authority collections for the user HUGO
Display authority collection data
To display the data collected for user HUGO, use the following commands:
Step 1: On the operating system command line, type the following commands and press the Enter key.
STRSQL to get to the interactive SQL command line. Then type the following:

Note 1 : Refer to document Authority Collection - Sample SQL Queries additional sample queries.
Note 2: Refer to document Authority Collection File Layout for information on the File Layout for the Authority Collection Process
Deleting authority collection data
To delete the Authority Collection data for user profile HUGO, use the following command:
DLTAUTCOL USRPRF(HUGO)

For additional information on the Authority Collection Process, refer to the Security Reference manual Chapter 10.
Authority collection is a capability that is provided as part of the base operating system. At a high level, authority collection captures data that is associated with the runtime authority checking that is built into the IBM i system. This data is logged to a repository provided by the system and interfaces are available to display and analyze the data. The intent of this support is to assist the security administrator and application provider in securing the objects in an application with the lowest level of authority that is required to allow the application to run successfully. By using the authority collection capability to remove or avoid excess authority, the overall security of the objects that are used by an application is improved.
Start authority collection
Authority collection is based on a user. Authority collection can be active for multiple users at the same time and an authority collection repository exists for each user.
At the command line, use the following command to get Authority Collection started:
STRAUTCOL USRPRF(HUGO) LIBINF((V6CASTIL)) OBJ(PAYROLL) OBJTYPE(*FILE)
Note: You must have *ALLOBJ special authority or be authorized to the Database Security Administrator function of IBM i (QIBM_DB_SECADM) to use these commands.

Note: This command stats collecting authority information for a user profile HUGO in a library V6CASTIL for a file named PAYROLL.
Once that Authority collection has been started for a user, we now need to run the application or process that allows the user to access the Payroll file.
Ending authority collection
To stop collecting authority information for a user, use the following command:
ENDAUTCOL USRPRF(HUGO)

Note: This command will end all authority collections for the user HUGO
Display authority collection data
To display the data collected for user HUGO, use the following commands:
Step 1: On the operating system command line, type the following commands and press the Enter key.
STRSQL to get to the interactive SQL command line. Then type the following:
SELECT *
FROM QSYS2.AUTHORITY_COLLECTION
WHERE USER_NAME = 'HUGO'
AND SYSTEM_OBJECT_NAME = 'PAYROLL'
AND SYSTEM_OBJECT_SCHEMA = 'V6CASTIL'

Note 1 : Refer to document Authority Collection - Sample SQL Queries additional sample queries.
Note 2: Refer to document Authority Collection File Layout for information on the File Layout for the Authority Collection Process
Deleting authority collection data
To delete the Authority Collection data for user profile HUGO, use the following command:
DLTAUTCOL USRPRF(HUGO)

For additional information on the Authority Collection Process, refer to the Security Reference manual Chapter 10.
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0"}]
Was this topic helpful?
Document Information
Modified date:
05 April 2022
UID
nas8N1021165