Changing command authority - Assure_DB2_Data_Monitor_(DB2MON) - Assure_Elevated_Authority_Manager_(EAM) - Assure_Encryption - Assure_Monitoring_and_Reporting_(AMR) - Assure_Secure_File_Transfer - Assure_Secure_File_Transfer_ - Assure_Secure_File_Transfer_PGP - Assure_Secure_File_Transfer_with_PGP - Assure_Security_Multi-Factor_Authentication_(MFA) - Assure_System_Access_Manager_(SAM) - Required_for_All_Modules - assure_ioptimize - assure_itera - assure_mimix - 10.0

License Manager for IBM i Products

Product type
Software
Portfolio
Integrate
Product family
Assure
Product
Assure Security > Required for All Modules
Assure Security > Assure Encryption
Assure iTERA
Assure MIMIX™ Software
Assure Security > Assure Secure File Transfer
Assure Security > Assure Elevated Authority Manager (EAM)
Assure Security > Assure DB2 Data Monitor (DB2MON)
Assure iOptimize
Assure Security > Assure Security Multi-Factor Authentication (MFA)
Assure Security > Assure Monitoring and Reporting (AMR)
Assure Security > Assure System Access Manager (SAM)
Assure Security > Assure Secure File Transfer with PGP
Version
10.0
Language
English
Product name
Assure
Title
License Manager for IBM i Products
Copyright
2023
First publish date
1999
ft:lastEdition
2024-07-02
ft:lastPublication
2024-07-02T13:03:21.227059

There may be times when it is necessary to change the authority level of a Precisely-supplied command while product-level security is in use. For example, you may want to change the SWTDG command within MIMIX, which requires *OPR authority, to require *MGT authority instead. Command authority support enables you to change authorization to specific commands. Any changes that are made to authority for a command are effective when product-level security is activated for each product in which the command can be used. Command authority changes are retained when upgrades are performed on the system.

The Change Command Authority (CHGCMDAUT) command allows you to modify the authority level of a Precisely-supplied command when product-level security is in use. When product authority is active, you must have *ADM authority to License Manager to run this command. The authority levels for CHGCMDAUT, GRTPRDAUT, RVKPRDAUT, and CHGLICKEY cannot be changed.

Note: Changes are effective for the products in all installation libraries on the system in which the command can be used. For example, you may have two installation libraries, where one contains Assure MIMIX Professional, and the other contains Assure MIMIX Enterprise and Assure MIMIX Global. If you change the Create System Definition authority from *MGT to a different value, this change is effective for all products in both installations and is enforced for the products which have enabled product-level security.

Care must be used when changing command authority for commands that are used by multiple products and for commands that are called internally within multiple products. (RUNCMD and RUNCMDS are examples of commands available in multiple products that can be run by users as well as can be invoked by functions within products.)

For example, you have a system with MIMIX products installed in three different libraries. Library A contains MIMIX licensed for Assure MIMIX Enterprise. Library B contains MIMIX licensed for Assure MIMIX Enterprise and Assure MIMIX for PowerHA. You have enabled product-level security for the products in libraries A and B. You have set up two group user profiles with product authority to control access to MIMIX functions in libraries A and B. One group has *OPR access and the other group has *MGT access. The members of the *OPR group are the same in both libraries, as are the members of the *MGT group. Library C contains Assure MIMIX Professional and you have not enabled product-level security for it. You have decided to use command authority to restrict authorization to the Start Precisely TCP Server (STRSVR) and End Precisely TCP Server (ENDSVR) commands to users with *MGT or higher authority. Because the command authority change is effective for every MIMIX product on the system but is only enforced for products that have enabled product-level security, the result of this decision will be:

  • All users can use the STRSVR and ENDSVR commands from library C (Assure MIMIX Professional) because command authority is not enforced when product-level security is disabled.

  • Members of the group profile with *OPR authority in libraries A and B cannot use the STRSVR and ENDSVR commands because the command authority changed to a level higher than that to which their group is authorized.

  • Members of the group profile with *MGT authority can run the STRSVR and ENDSVR commands in libraries A and B because their group has the appropriate authority.

  • If product-level security is enabled for Assure MIMIX Professional in library C, only members of the group profile with *MGT authority can run the STRSVR and ENDSVR commands in library C.