DRDA and DDM server access control using function usage ID

A security feature of the Distributed Data Management (DDM) and Distributed Relational Database Architecture™ (DRDA) server, for use with both Advanced Program-to-Program Communication (APPC) and TCP/IP, allows the use of QIBM_DB_DDMDRDA function usage ID to block database server access to users and groups over DDM and DRDA with out having to write a user exit program.

The function usage ID QIBM_DB_DDMDRDA is used to block DDM and DRDA application server inbound connection requests to users and groups and is not based on the communication protocol. It can be configured using the Change Function Usage (CHGFCNUSG) command, Work with Function Usage (WRKFNCUSG) command. The function usage ID is shipped with default authority set to *ALLOWED. The security officer can easily deny access to specific users and groups. This function usage ID is meant to be alternative to a user exit program approach. No coding is required. It is easy to change and auditable.

Example of denying a user DDM or DRDA access:

CHGFCNUSG FCNID(QIBM_DB_DDMDRDA) USER(user1) USAGE(*DENIED)

The authorization checking for this function usage ID occurs prior to any user exit programs getting control. If the user fails the function usage authorization check, the user exit program will not be called.

Many applications and some IBM products rely upon QRWTSRVR jobs. Disallowing access too broadly can cause these applications to fail in a manner that does not obviously point to function usage administration. Most clients will report this connection failure as connection was dropping when a user is denied access.

Users denied access with see a CPF9898 message "QIBM_DB_DDMDRDA FUNCTION USAGE IS DENIED FOR USER PROFILE XXXXXXXX" at connect time for IBM i releases 6.1, 6.1.1, and 7.1 that will state that the function usage id QIBM_DB_DDMDRDA is set to deny their user profile access. Users that already have a connection made before a system administrator sets their user profile to denied will continue to be able to use their existing connection and be revoked on future connects.

Special cases:

  • First, a special case exists when user profiles appear under the function usage more than once. Since a user can belong to one or more group profiles, the function usage specification could refer to the user in multiple ways for a single function usage. First, if multiple group profiles, for which a user belongs to, are referenced under the function usage and the user profile is NOT referenced under the function usage, the user will be granted function usage if ANY of the group profiles listed have USAGE(*ALLOWED). If one group profile was configured with usage *DENIED while the other group profile has *ALLOWED, The user would be granted function usage. All a user needs is for one of their group profiles to have permission to use the function.
  • Second, a special case exists when one or more group profiles, for which a user belongs to, are referenced under the function usage and the user profile IS explicitly referenced under the function usage. The explicit user reference will determine whether the user will be granted function usage. Again, a user belongs to two group profiles, GRPA and GRPB. If both groups were configured with usage *ALLOWED and the user profile was had function usage *DENIED, the user would not be granted function usage. Individual function usage references take precedence over group profile references.

Audit records:

Security audit records are written to the QSYS/QAUDJRN security audit journal when auditing is enabled and the auditing level is configured to record authorization failures. A GR-F audit record appears with *USAGEFAILURE will be sent if the function usage check fails.

Example:

CHGSYSVAL SYSVAL(QAUDCTL) VALUE('*AUDLVL')
CHGSYSVAL SYSVAL(QAUDLVL) VALUE('*AUTFAIL')
DSPJRN JRN(QSYS/QAUDJRN) FROMTIME('01/25/2012' 080000)

Display Journal Entries

Journal . . . . . . : QAUDJRN Library . . . . . . : QSYS
Largest sequence number on this screen . . . . . . : 00000000000000003036
Type options, press Enter.
5=Display entire entry


Opt Sequence Code Type Object Library Job Time
3035 T GR QRWTSRVR 8:24:29
3036 T GR QRWTSRVR 8:24:30

Display Journal Entry

Object . . . . . . . : Library . . . . . . :
Member . . . . . . . :
Incomplete data . . : No Minimized entry data : *NONE
Sequence . . . . . . : 3036
Code . . . . . . . . : T - Audit trail entry
Type . . . . . . . . : GR - General purpose audit record

Entry specific data
Column *...+....1....+....2....+....3....+....4....+....5
00001 'FZRSLFUSER *USAGEFAILURE '
00051 ' '
00101 ' QIBM_DB_DDMDRDA '
00151 ' '
00201 ' '
00251 ' '
00301 ' '

Lastly, this function usage ID is shipped with the function usage configuration "*ALLOBJ special authority" set to *USER. This setting allows users with *ALLOBJ user special authority to use function as though they had been granted explicit function usage authority. If you do not want to allow this *ALLOBJ authorization, use the Change Function Usage (CHGFCNUSG) command to change the configuration to *NOTUSED.

Example:

CHGFCNUSG FCNID(QIBM_DB_DDMDRDA) ALLOBJAUT(*NOTUSED)