Application Administration with Access Client Solutions
Access Client Solutions (ACS) has had the ability to restrict the usage of specific functions by modifying the AcsConfig.properties file.
Last week I wrote about Application Administration with Navigator for i. I suspect most readers already knew about application administration with Navigator.
Access Client Solutions (ACS) has had the ability to restrict the usage of specific functions by modifying the AcsConfig.properties file. Restricting access in this way removes the function from the main GUI and disables its usage from the command line. If you aren’t aware of this capability and want to know more, refer to the Getting Started document, Section 9.5 Customized Packages.
But did you know that with the latest ACS update (January 2017), you could also use Application Administration to restrict the tasks that a user can access with Access Client Solutions?
If you had restricted access to Navigator tasks by using Application Administration, or if you used the Client Applications to restrict features of IBM i Access for Windows, those application administration restrictions now apply to ACS.
Functions that are controlled by Application Administration for Navigator functions are:
- Printer Output
- Integrated File Systems
- Database tasks (Run SQL Scripts and SQL Performance Center)
Functions that are controlled by Application Administration for Client Applications are:
- 5250 emulator
- Data Transfer
The support added in the January 2017 update allows you to restrict each of the above functions in its entirety by disabling the entire category using App Admin.
As you are getting started with this support, you may stumble upon a situation where it appears as if the customizations do not take effect. ACS caches the fact that a user is authorized to a function; if a user had been using ACS and becomes restricted from a function, ACS must be restarted for the restriction to take effect.
Below I show the details of what must be set in Application Administration in order for the user to be restricted from the corresponding function in ACS. In all of my examples, I have customized the Application Administration settings to exclude user DAWNMAY from specific functions.
Printer Output can be restricted from access by customizing Printer Output in the Basic Operations section of Navigator for i functions.
When a user is not allowed to use the Printer Output functions, taking Printer Output from the main ACS menu results in an error.
In the remaining examples, I’m not going to show the error messages; they all are similar and state the function usage that has been restricted. FYI, if you are not sure what the text string means (e.g., QIBM_XD1_OPNAV_PRINTOUT), you can use the WRKFCNUSG command which will display the text string along with a brief function description. In addition, I wrote an article summarizing function usage IDs some time ago.
Integrated File System
To restrict access to the Integrated File System tasks within ACS, you need to restrict access to all file systems within Navigator Application Administration.
The SQL Performance Center can be restricted from access by customizing by denying access to both SQL Performance Monitors and SQL Plan Cache in the Databases section of Navigator for i functions.
Run SQL scripts can also be restricted by disallowing a user from all four of the database functions in Navigator.
Customizing the configuration under Client Applications, System i Access for Windows -> 5250 Display and Printer Emulator restricts the 5250 Emulator.
When a user is restricted from using the 5250 Emulator, they will be able to start the 5250 emulator and will get prompted to sign on. However, the sign on will fail with an error that the user is not allowed to use the 5250 Emulator.
Customizing the configuration under Client Applications, System i Access for Windows -> Data Transfer restricts Data Transfer. Upload and Download can be independently restricted.
There’s still more work to do to make the ACS support of Application Administration equivalent to that of System i Navigator (client application). This January 2017 update is another step in that direction.