Authorizing users for i5/OS

i5/OS™ users must have a user profile on the management server that is running i5/OS and be registered in a function usage group.

To initially connect to a managed system running i5/OS, a user must also have a user profile on the managed system. Additionally, a security administrator must authorize these users to IBM Director Server and IBM Director Agent functions.

IBM Director running on i5/OS has a set of associated function identifiers to use for authorizing users, configuring default users, and defining a specific user under which jobs can run. Users must be registered in one of the following functions:
  • IBM Director Administrators
  • IBM Director Super Administrators
IBM Director is shipped with the user profile QCPMGTDIR. QCPMGTDIR has *ALLOBJ special authority as well as *SECADM special authority. QCPMGTDIR is used to start all IBM Director jobs and is the default profile under which the jobs run. You can change the default profile from QCPMGTDIR to a user profile of your choice for the following function IDs:
  • IBM Director Agent default user
  • IBM Director Server default user
  • IBM Director Agent run as user
  • IBM Director Server run as user
The following table describes the three function usage groups to which a user can be authorized.
Function ID Purpose
IBM Director Administrators Perform management functions using tasks to which they are authorized.
IBM Director Agent access Initially connect IBM Director Server to an IBM Director Agent.
註: By default, any user with *ALLOBJ authority has access to this function.
IBM Director Agent default user By specifying a user profile other than the default profile, remote commands can be performed on a managed system using the specified user profile. No user ID and password are required when requesting the command.
IBM Director Agent run as user By specifying a user profile other than the default profile, jobs on the managed system are performed under this profile. To complete all IBM Director tasks successfully, the user profile must have *ALLOBJ authority.
IBM Director Server default user Allows a user profile to be registered as the default for tasks such as file transfer, software distribution, and event actions. To complete all IBM Director tasks successfully, the user profile must have *ALLOBJ authority.
IBM Director Server run as user By specifying a user profile other than the default profile, jobs on the management server are performed under this profile. To complete all IBM Director tasks successfully, the user profile must have *ALLOBJ and *SECADM authority.
IBM Director Super Administrators Configure a set of privileges for the administrator group, edit user accounts on an individual basis, and use the functions of the DIRCLI client.

Prerequisite:

To authorize users to these functions, you must have *SECADM authority.

Complete the following steps to authorize users to IBM Director functions:
  1. In iSeries Navigator, right-click the server and click Application Administration.
  2. On the Application Administration dialog, click the Host Applications tab.
  3. Expand IBM Director for iSeries.
  4. Select the function group to which you want to add users and click Customize. Complete the instructions on the dialog to grant authority.
You can also use the Work Function Usage (WRKFCNUSG) command in the character-based interface, WRKFCNUSG QIBM_QDIR*.
(C) Copyright IBM Corporation 1999,2005. All Rights Reserved.