IBM Support

Authority Collection - Getting Started

Question & Answer


Question

Authority Collection - Getting Started with sample commands.

Answer

Authority Collection

Authority collection is a capability that is provided as part of the base operating system. At a high level, authority collection captures data that is associated with the run-time authority checking that is built into the IBM i system. This data is logged to a repository provided by the system and interfaces are available to display and analyze the data. The intent of this support is to assist the security administrator and application provider in securing the objects in an application with the lowest level of authority that is required to allow the application to run successfully. By using the authority collection capability to remove or avoid excess authority, the overall security of the objects that are used by an application is improved.

Start authority collection

Authority collection is based on a user. Authority collection can be active for multiple users at the same time and an authority collection repository exists for each user.

At the command line use the following command to get Authority Collection started:

STRAUTCOL USRPRF(HUGO) LIBINF((V6CASTIL)) OBJ(PAYROLL) OBJTYPE(*FILE)


Note: You must have *ALLOBJ special authority or be authorized to the Database Security Administrator function of IBM i (QIBM_DB_SECADM) to use these commands.





Note: This command will start collecting authority information for a user profile HUGO in a library V6CASTIL for a file named PAYROLL.

Once that Authority collection has been started for a user, we now need to run the application or process that allows the user to access the Payroll file.

Ending authority collection

To stop collecting authority information for a user, use the following command:

ENDAUTCOL USRPRF(HUGO)



Note: This command will end all authority collections for the user HUGO

Display authority collection data

To display the data collected for user HUGO, use the following commands:

Step 1: On the operating system command line, type the following commands and press the Enter key.

STRSQL to get to the interactive SQL command line. Then type the following:
 
  SELECT *
    FROM QSYS2.AUTHORITY_COLLECTION
    WHERE USER_NAME = 'HUGO'
          AND SYSTEM_OBJECT_NAME = 'PAYROLL'
          AND SYSTEM_OBJECT_SCHEMA = 'V6CASTIL'




Note 1 : Refer to document  Authority Collection - Sample SQL Queries additional sample queries.
Note 2: Refer to document Authority Collection File Layout  for information on the File Layout for the Authority Collection Process


Deleting authority collection data

To delete the Authority Collection data for user profile HUGO, use the following command:

DLTAUTCOL USRPRF(HUGO)





For additional information on the Authority Collection Process, refer to the Security Reference  manual Chapter 10.

 

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Document Information

Modified date:
04 February 2021

UID

nas8N1021165