IBM Power Ideas Portal


This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Not under consideration
Workspace IBM i
Categories IBM i Access Family
Created by Guest
Created on Mar 28, 2024

RELATED IDEAS

Please add a prompt to run the setup functions again. (Resubmitted)

Please see the idea I created before with the same title.

The functionality needed as you say is already in the system. I disagree.

Control is available but is totally in the hands of the PC and network folk. They are not responsible for the security of the data on the IBM i. I as an admin, am. We need to be able to manage what features a user can have. The way it works now leaves us admins, responsible, but with no control over what a user gets access to.

Working in the larger corporations with hundreds of PC's to manage, these teams create a single image which they install on each PC as part of building the PC. They restore the image and put it out there for the user. They will not entertain multiple versions. I am told its an IBM problem. I have had many arguments with them, which I loose because the set up steps in ACS are too lengthy. When they build 20 + PC's, they do not have time to configure individual PC's. That responsibility is passed on to the IBM i admins, but we are limited because IBM i admins do not get admin rights to PC's.

Problems:

  • we are responsible for something we have no control over.
  • younger users have learnt how to use SQL and RSS allows these users to mess with the data.
  • users can upload and download data into the system replacing data in files.
  • the added security is added to the Windows registry. I don't know where this is on Mac or LINUX. Admins do not have access to the registry.
  • Corporations are now allowing users a mix of devices, Windows, Mac, LINUX, tablets...

Solution proposed:

  • allow authority as is currently defining in the ACSconfig.properties
  • allow authority as in the windows registry
  • New request
    • Transfer control to the IBM i operating system. If then set up on the IBM i operating system, let this override the the above 2.
      • ACS could make simple calls to the IBM i OS to get a list of the authorities and then enable the authorized features.
    • This method makes it 
      • easy to control ACS centrally by IBM i admins 
      • it would not matter if the PC is swapped out
      • it would not matter if the user uses multiple PC's or devices
Idea priority High
  • Guest
    Reply
    |     Apr 3, 2024
    Thank you for submitting your Idea to enhance IBM i Access Client Solutions (ACS). ACS can be deployed a variety of ways and also allows multiple installations to handle a variety of different requirements. For convenience, ACS allows its functions to be selected for inclusion or exclusion from any given deployment. Depending on the users authority to administer their PC and the ACS configuration, they could potentially modify what functions are available. For details on various ways to include and exclude functions, see GettingStarted section 11.2.1 Restriction Functions https://www.ibm.com/support/pages/ibm-i-access-acs-getting-started#11.2.1 . A visible function to the user does not mean the user has authority to do whatever that function allows. Ultimately, whether or not a user actually has access is determined by their authorities on the IBM i server. One option to control server side access is the WRKFCNUSG command. ACS supports the same settings for WRKFCNUSG as were supported by IBM i Access for Windows. For additional details for using WRKFCNUSG, see https://www.ibm.com/docs/en/i/7.5?topic=reference-supplied-function-ids . We have no plans to adjust visibility of functions in ACS based on server side settings.

    IBM Power Systems Development
  • Guest
    Reply
    |     Apr 2, 2024

    I agree that the settings should be stored on the IBM I, they are accessing.

    It is very easy for an user to edit a simple file on his/hers PC giving access to more
    functionality that they should be allowed.


    The user could then be attached to a standard profile or an individual profile.


  • Guest
    Reply
    |     Mar 28, 2024

    ACS uses some of the old Client Access and OpsNav function IDs that can be used to restrict functionality for users and groups on the IBM i side.

    The SQL functions can be restricted on the IBM i side using this function id (WRKFCNUSG): https://www.ibm.com/support/pages/can-you-restrict-users-using-sql-ibm-i
    For a description of them, look here: https://www.ibm.com/docs/en/i/7.5?topic=reference-supplied-function-ids


    I think you also can restrict Data Transfer Upload and Downloads using these function id's:
    https://www.ibm.com/docs/en/i/7.5?topic=reference-supplied-function-ids#rzarlfunctionusage__funcidACS

    Just remember, this is access control on the IBM i side and does not enable or disable which functions the user can see in ACS

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.