Dear Robert
The way I see it, in current IT world that is inundated with invisible hacking, I would say, at least for production environment, using Exclusionary Access Model for GUI interface is preferred - to disallow access by default and then grant access to a function for an individual as needed. I would say this may be the main reason why QIBM_NAV_ALL_FUNCTION is now shipped with default of *DENIED as of a certain level of PTF for IBM i 7.3 onward.
In my past experiences with customers, I noticed there were very few production users who were allowed to use Navigator GUI, if at all. I remember one system admin telling me the reason was that to allow all users to see Navigator GUI that displayed all available functions would "inspire" some users, and more importantly hackers, to try what they had no need to do and the system admin dreaded they may find a loophole left open unintentionally.
For your approach, I see that it is not easy to do this in a proactive way. I think you should ask yourself whether you can know in advance who, among all the users, should NOT access what? So, your approach practically is more likely to end up being a "reactive" way which means you wait until an undesired access happens to take action on it and you may be in trouble (like some of my system admin customers) for it if it happens to be a very "nasty" incident. For this, I see Exclusionary Access Control gives us more peace of mind. If you see you are in an environment that is sufficiently manageable such that any nasty incident is not likely, then consider yourself fortunate.
I even prefer all customers apply Exclusionary Access Control to all IBM i CL commands as well but I noticed only some customers did this. My guess is that it's not easy for "undesired" users to remember the exact syntax and valid parameters values of the commands while this is much less an obstacle in Navigator GUI which accommodates much more to the use of any function. I know this is mostly no longer true given the mighty Google search but this matter has a background in history before Google. ( I remember there was a SW security product (from IBM but I cannot remember its name) that prevents all user class *USER from accessing any CL commands at all without adopted authority in programs or the use of its Access List.)
This may sound paranoid but I can remind you that in the past, Andy Grove (one of the founders and CEOs of Intel) wrote a book with the name "Only The Paranoid Survive" :-)
BTW, I'm curious why you want to run your CHGFCNUSG command in the startup program? I looked into IBM documentation on this command and did NOT see that its effect is temporary. So I expect you can run it once in each IBM i LPAR and its effect is permanent as usual until you run this command again for a different setting. Another curiosity is why you do not post this question in IBM i Global group?
------------------------------
Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
------------------------------
Satid S.
------------------------------
Original Message:
Sent: Sat March 04, 2023 08:37 AM
From: Robert Berendt
Subject: CHGFCNUSG FCNID(QIBM_NAV_ALL_FUNCTION) DEFAULT(*ALLOWED)
I am thinking of adding the following command to the program which runs on all lpars upon IPL:
CHGFCNUSG FCNID(QIBM_NAV_ALL_FUNCTION) DEFAULT(*ALLOWED)
As a general rule I don't like playing whack-a-mole and blocking individual tools. Instead I try to set up security on the objects in question. Like, if the user shouldn't be in a particular output queue then secure the output queue. Don't customize commands to omit that output queue, etc.
What say ye?
------------------------------
Robert Berendt IBMChampion
------------------------------