All you need is the User Function Registration APIs.
Last month, in "Accessing a Command Line," we looked at how the Retrieve User Information (QSYRUSRI) API could be used to control access to a specific function with an application program. The function we were controlling was access to a command line window, displayed using the Display Command Line Window (QUSCMDLN) API, by way of command key 9. The application determined whether or not command key 9 should be enabled, based on the user class (USRCLS) attribute of the user profile currently running the application program. In this article, we will look at a more flexible approach to managing user access to an application program function. For demonstration purposes, the application function being managed will continue to be the ability to access a command line window (using QUSCMDLN).
Back in V4R3, IBM provided a set of APIs referred to as the User Function Registration APIs. These APIs allow you to manage the registration of, and the access by users to, user-defined application functions. This function might be, as we'll be using today, access to a command-line window from an application. These registered functions might also be the ability for a user to run (or even see) particular update functions within a program, use a command key from an inquiry program to access a full social security number (as opposed to only the last four digits with the first five digits masked as XXX-XX), and the like.
Note that these APIs are not a replacement for your securing of resources such as database files, programs, etc. Users who are not allowed to use a particular application function due to the user function registration APIs can still perform the function through other interfaces. For instance, disabling an update function within program ABC, using the APIs we will be discussing, does not prevent a user from using SQL or DFU to accomplish the update (assuming in this case that the user is authorized to the underlying table/file).
The first step in using the User Function Registration APIs is to determine what application function you want to control and then registering that function. As we have already determined which function we wish to control—access to the command line window—we will turn next to registering the function. The registration of a user function can be accomplished by either calling the program QSYRGFN or the procedure export QsyRegisterFunction of service program QSYRGFN1. In our example programs, we'll be using the procedure QsyRegisterFunction.
There are several key decisions that you must make when registering a new user function, with the first being the name of the function. User function names, referred to in the API documentation as Function IDs, can be up to 30 bytes in length, and the scope of the name is system-wide. Due to function names/IDs being system-wide, IBM provides naming recommendations so as to minimize the potential of your names conflicting with third-party function names that are perhaps registered on your system—and, of course, IBM-provided function names. The recommendation is to start the function name with your company name, followed by an underscore, and then text describing the function being controlled. IBM, for instance, uses function names such as QIBM_ACCESS_ALLOBJ_JOBLOG and QIBM_SERVICE_TRACE. To see the user functions currently registered on your system, you can use the command WRKFCNUSG FCNID(*ALL). System i Navigator also allows you to see the user functions that are on your system.
If your company has several development groups, you may also want to further qualify user function names. IBM, for instance, uses the naming convention QIBM_Qccc_Descriptive_Text, where Qccc represents different development teams (components) within the operating system. Using this further qualification avoids one team, such as security (component SY), from inadvertently choosing the same descriptive name as work control (component WC).
Other key decisions involve what default usage (allow vs. disallow) should be used if a given user is not explicitly defined for the function, whether users with the special authority *ALLOBJ should be implicitly allowed access to the function, etc. In a future article, we'll look at some of these other decisions in greater detail. For now, we'll simply assume that we want to register a function named BVS_CMD_LINE_WINDOW (where BVS represents "my" company name of Bruce Vining Services) and that, by default, non-*ALLOBJ users should be denied access to the function.
Prior to actually registering our function, we need to register the product within which the function exists. We will name our product BVS_APPLICATIONS and register this product with the following program.
h DftActGrp(*no)
dCrtFcn pr extproc('QsyRegisterFunction')
d FcnID 30 const
d FcnControls 4096 const options(*varsize)
d QUSEC likeds(QUSEC)
dPrdControls ds qualified
d NbrOfCtls 10i 0 inz(1)
d LenKey2Len 10i 0 inz(16)
d Key2 10i 0 inz(2)
d LenKey2Dta 10i 0 inz(1)
d Key2Dta 1a inz('1')
d 3a
/copy qsysinc/qrpglesrc,qusec
/free
QUSBPrv = 0;
CrtFcn('BVS_APPLICATIONS' :PrdControls :QUSEC);
*inlr = *on;
return;
/end-free
Assuming that the previous program source is stored in member REGPRD (for Register Product) of QRPGLESRC, we can compile the program with CRTBNDRPG REGPRD and then run the program with CALL REGPRD. As with the discussion of other registration decisions, we'll look at the details of this (and the following program) in a subsequent article. For now, we'll just get our command line function registered and see how it can be used by the DSPHI application we developed last month.
The following program will register our initial product function to be controlled: BVS_CMD_LINE_WINDOW.
h DftActGrp(*no)
dCrtFcn pr extproc('QsyRegisterFunction')
d FcnID 30 const
d FcnControls 4096 const options(*varsize)
d QUSEC likeds(QUSEC)
dFcnControls ds qualified
d NbrOfCtls 10i 0 inz(3)
d LenKey3Len 10i 0 inz(44)
d Key3 10i 0 inz(3)
d LenKey3Dta 10i 0 inz(30)
d Key3Dta 30a inz('BVS_APPLICATIONS')
d 2a
d LenKey6Len 10i 0 inz(144)
d Key6 10i 0 inz(6)
d LenKey6dta 10i 0 inz(132)
d Key6Dta 132a inz('Provide command line -
d window access')
d LenKey11Len 10i 0 inz(16)
d Key11 10i 0 inz(11)
d LenKey11Dta 10i 0 inz(1)
d Key11Dta 1a inz('1')
d 3a
/copy qsysinc/qrpglesrc,qusec
/free
QUSBPrv = 0;
CrtFcn('BVS_CMD_LINE_WINDOW' :FcnControls :QUSEC);
*inlr = *on;
return;
/end-free
Assuming that the above program source is stored in member REGCMDLN (for Register Command Line) of QRPGLESRC, you can compile the program with CRTBNDRPG REGCMDLN and then run the program with CALL REGCMDLN. If you now use the Work with Function Usage command, WRKFCNUSG FCNID(*ALL), you should see that function BVS_CMD_LINE_WINDOW is registered with your system. Taking option 5 (Display usage) from the Work with User Function display panel of WRKFCNUSG, you will see that there are no users currently registered with the BVS_CMD_LINE_WINDOW function. While there is an API to add users to a User Function (which we will use in a future article), for now we'll use the Change Function Usage (CHGFCNUSG) command to add a user to BVS_CMD_LINE_WINDOW.
The following command will allow user profile VINING access to our registered function.
CHGFCNUSG FCNID(BVS_CMD_LINE_WINDOW) USER(VINING) USAGE(*ALLOWED)
Note that you should change the user name VINING in the previous command to a profile name (such as your own) that exists on your system. The profile name must exist at the time you run the command.
Having given VINING access to the command line window function, now let's see what needs to be changed in our DSPHI program to use the User Function Registration APIs—rather than the user class of VINING—in order to allow (or disallow) access to the command line window. Shown below, in bold, are the changes needed to last month's program.
h DftActGrp(*no)
fHI cf e workstn
dChkUsr pr extproc('-
d QsyCheckUserFunctionUsage')
d Usage 1
d Function 30 const
d UsrPrf 10 const
d QUSEC likeds(QUSEC)
dUseCmdLine pr extpgm('QUSCMDLN')
dUsage s 1a
/copy qsysinc/qrpglesrc,qusec
/free
QUSBPrv = 0;
ChkUsr(Usage :'BVS_CMD_LINE_WINDOW' :'*CURRENT' :QUSEC);
*in39 = (Usage = '2');
exfmt HiThere;
dow (not *in03);
if *in09;
UseCmdLine();
endif;
exfmt HiThere;
enddo;
*inlr = *on;
return;
/end-free
By compiling the changed DSPHI program shown above, signing on as the user previously registered to the BVS_CMD_LINE_WINDOW function, and calling DSPHI, you should see that command key 9 is enabled. By signing off, signing back on as a user not registered to BVS_CMD_LINE_WINDOW and without the *ALLOBJ special authority, and calling DSPHI, you should see that command key 9 is no longer available. By signing off, signing back on as a user with the special authority *ALLOBJ and not registered to BVS_CMD_LINE_WINDOW, and calling DSPHI, you should see that this user does have access to command key 9.
Prior to closing this article, and assuming that you don't want BVS_APPLICATIONS to continue being registered on your system, you can remove the registered function (and product) using the following program.
h DftActGrp(*no)
dDltFcn pr extproc('QsyDeregisterFunction')
d FcnID 30 const
d QUSEC likeds(QUSEC)
/copy qsysinc/qrpglesrc,qusec
/free
QUSBPrv = 0;
DltFcn('BVS_CMD_LINE_WINDOW' :QUSEC);
DltFcn('BVS_APPLICATIONS' :QUSEC);
*inlr = *on;
return;
/end-free
Assuming that the previous program source is stored in member DREGPRD (for Deregister Product) of QRPGLESRC, you can compile the program with CRTBNDRPG DREGPRD and then run the program with CALL DREGPRD.
As mentioned earlier, next month we'll look at more of the details behind the above programs. In future articles, we'll also look at some of the benefits you can pick up by utilizing the User Function Registration APIs within your applications—for instance, that the usage information associated with a user is saved and restored with the user profile when using commands such as SAVSECDTA, RSTUSRPRF, and RSTAUT.
As usual, if you have any API questions, send them to me at
Bruce Vining is president and co-founder of Bruce Vining Services, LLC, a firm providing contract programming and consulting services to the System i community. He began his career in 1979 as an IBM Systems Engineer in St. Louis, Missouri, and then transferred to Rochester, Minnesota, in 1985, where he continues to reside. From 1992 until leaving IBM in 2007, Bruce was a member of the System Design Control Group responsible for OS/400 and i5/OS areas such as System APIs, Globalization, and Software Serviceability. He is also the designer of Control Language for Files (CLF).A frequent speaker and writer, Bruce can be reached at
MC Press books written by Bruce Vining available now on the MC Press Bookstore.
 |
||
 |
|
IBM System i APIs at Work Leverage the power of APIs with this definitive resource. List Price $89.95 Now On Sale
|
More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online