All you need is the User Function Registration APIs.
Last month, in "Accessing a Command Line," we looked at how the Retrieve User Information (QSYRUSRI) API could be used to control access to a specific function with an application program. The function we were controlling was access to a command line window, displayed using the Display Command Line Window (QUSCMDLN) API, by way of command key 9. The application determined whether or not command key 9 should be enabled, based on the user class (USRCLS) attribute of the user profile currently running the application program. In this article, we will look at a more flexible approach to managing user access to an application program function. For demonstration purposes, the application function being managed will continue to be the ability to access a command line window (using QUSCMDLN).
Back in V4R3, IBM provided a set of APIs referred to as the User Function Registration APIs. These APIs allow you to manage the registration of, and the access by users to, user-defined application functions. This function might be, as we'll be using today, access to a command-line window from an application. These registered functions might also be the ability for a user to run (or even see) particular update functions within a program, use a command key from an inquiry program to access a full social security number (as opposed to only the last four digits with the first five digits masked as XXX-XX), and the like.
Note that these APIs are not a replacement for your securing of resources such as database files, programs, etc. Users who are not allowed to use a particular application function due to the user function registration APIs can still perform the function through other interfaces. For instance, disabling an update function within program ABC, using the APIs we will be discussing, does not prevent a user from using SQL or DFU to accomplish the update (assuming in this case that the user is authorized to the underlying table/file).
The first step in using the User Function Registration APIs is to determine what application function you want to control and then registering that function. As we have already determined which function we wish to control—access to the command line window—we will turn next to registering the function. The registration of a user function can be accomplished by either calling the program QSYRGFN or the procedure export QsyRegisterFunction of service program QSYRGFN1. In our example programs, we'll be using the procedure QsyRegisterFunction.
There are several key decisions that you must make when registering a new user function, with the first being the name of the function. User function names, referred to in the API documentation as Function IDs, can be up to 30 bytes in length, and the scope of the name is system-wide. Due to function names/IDs being system-wide, IBM provides naming recommendations so as to minimize the potential of your names conflicting with third-party function names that are perhaps registered on your system—and, of course, IBM-provided function names. The recommendation is to start the function name with your company name, followed by an underscore, and then text describing the function being controlled. IBM, for instance, uses function names such as QIBM_ACCESS_ALLOBJ_JOBLOG and QIBM_SERVICE_TRACE. To see the user functions currently registered on your system, you can use the command WRKFCNUSG FCNID(*ALL). System i Navigator also allows you to see the user functions that are on your system.
If your company has several development groups, you may also want to further qualify user function names. IBM, for instance, uses the naming convention QIBM_Qccc_Descriptive_Text, where Qccc represents different development teams (components) within the operating system. Using this further qualification avoids one team, such as security (component SY), from inadvertently choosing the same descriptive name as work control (component WC).
Other key decisions involve what default usage (allow vs. disallow) should be used if a given user is not explicitly defined for the function, whether users with the special authority *ALLOBJ should be implicitly allowed access to the function, etc. In a future article, we'll look at some of these other decisions in greater detail. For now, we'll simply assume that we want to register a function named BVS_CMD_LINE_WINDOW (where BVS represents "my" company name of Bruce Vining Services) and that, by default, non-*ALLOBJ users should be denied access to the function.
Prior to actually registering our function, we need to register the product within which the function exists. We will name our product BVS_APPLICATIONS and register this product with the following program.
h DftActGrp(*no)
dCrtFcn pr extproc('QsyRegisterFunction')
d FcnID 30 const
d FcnControls 4096 const options(*varsize)
d QUSEC likeds(QUSEC)
dPrdControls ds qualified
d NbrOfCtls 10i 0 inz(1)
d LenKey2Len 10i 0 inz(16)
d Key2 10i 0 inz(2)
d LenKey2Dta 10i 0 inz(1)
d Key2Dta 1a inz('1')
d 3a
/copy qsysinc/qrpglesrc,qusec
/free
QUSBPrv = 0;
CrtFcn('BVS_APPLICATIONS' :PrdControls :QUSEC);
*inlr = *on;
return;
/end-free
Assuming that the previous program source is stored in member REGPRD (for Register Product) of QRPGLESRC, we can compile the program with CRTBNDRPG REGPRD and then run the program with CALL REGPRD. As with the discussion of other registration decisions, we'll look at the details of this (and the following program) in a subsequent article. For now, we'll just get our command line function registered and see how it can be used by the DSPHI application we developed last month.
The following program will register our initial product function to be controlled: BVS_CMD_LINE_WINDOW.
h DftActGrp(*no)
dCrtFcn pr extproc('QsyRegisterFunction')
d FcnID 30 const
d FcnControls 4096 const options(*varsize)
d QUSEC likeds(QUSEC)
dFcnControls ds qualified
d NbrOfCtls 10i 0 inz(3)
d LenKey3Len 10i 0 inz(44)
d Key3 10i 0 inz(3)
d LenKey3Dta 10i 0 inz(30)
d Key3Dta 30a inz('BVS_APPLICATIONS')
d 2a
d LenKey6Len 10i 0 inz(144)
d Key6 10i 0 inz(6)
d LenKey6dta 10i 0 inz(132)
d Key6Dta 132a inz('Provide command line -
d window access')
d LenKey11Len 10i 0 inz(16)
d Key11 10i 0 inz(11)
d LenKey11Dta 10i 0 inz(1)
d Key11Dta 1a inz('1')
d 3a
/copy qsysinc/qrpglesrc,qusec
/free
QUSBPrv = 0;
CrtFcn('BVS_CMD_LINE_WINDOW' :FcnControls :QUSEC);
*inlr = *on;
return;
/end-free
Assuming that the above program source is stored in member REGCMDLN (for Register Command Line) of QRPGLESRC, you can compile the program with CRTBNDRPG REGCMDLN and then run the program with CALL REGCMDLN. If you now use the Work with Function Usage command, WRKFCNUSG FCNID(*ALL), you should see that function BVS_CMD_LINE_WINDOW is registered with your system. Taking option 5 (Display usage) from the Work with User Function display panel of WRKFCNUSG, you will see that there are no users currently registered with the BVS_CMD_LINE_WINDOW function. While there is an API to add users to a User Function (which we will use in a future article), for now we'll use the Change Function Usage (CHGFCNUSG) command to add a user to BVS_CMD_LINE_WINDOW.
The following command will allow user profile VINING access to our registered function.
CHGFCNUSG FCNID(BVS_CMD_LINE_WINDOW) USER(VINING) USAGE(*ALLOWED)
Note that you should change the user name VINING in the previous command to a profile name (such as your own) that exists on your system. The profile name must exist at the time you run the command.
Having given VINING access to the command line window function, now let's see what needs to be changed in our DSPHI program to use the User Function Registration APIs—rather than the user class of VINING—in order to allow (or disallow) access to the command line window. Shown below, in bold, are the changes needed to last month's program.
h DftActGrp(*no)
fHI cf e workstn
dChkUsr pr extproc('-
d QsyCheckUserFunctionUsage')
d Usage 1
d Function 30 const
d UsrPrf 10 const
d QUSEC likeds(QUSEC)
dUseCmdLine pr extpgm('QUSCMDLN')
dUsage s 1a
/copy qsysinc/qrpglesrc,qusec
/free
QUSBPrv = 0;
ChkUsr(Usage :'BVS_CMD_LINE_WINDOW' :'*CURRENT' :QUSEC);
*in39 = (Usage = '2');
exfmt HiThere;
dow (not *in03);
if *in09;
UseCmdLine();
endif;
exfmt HiThere;
enddo;
*inlr = *on;
return;
/end-free
By compiling the changed DSPHI program shown above, signing on as the user previously registered to the BVS_CMD_LINE_WINDOW function, and calling DSPHI, you should see that command key 9 is enabled. By signing off, signing back on as a user not registered to BVS_CMD_LINE_WINDOW and without the *ALLOBJ special authority, and calling DSPHI, you should see that command key 9 is no longer available. By signing off, signing back on as a user with the special authority *ALLOBJ and not registered to BVS_CMD_LINE_WINDOW, and calling DSPHI, you should see that this user does have access to command key 9.
Prior to closing this article, and assuming that you don't want BVS_APPLICATIONS to continue being registered on your system, you can remove the registered function (and product) using the following program.
h DftActGrp(*no)
dDltFcn pr extproc('QsyDeregisterFunction')
d FcnID 30 const
d QUSEC likeds(QUSEC)
/copy qsysinc/qrpglesrc,qusec
/free
QUSBPrv = 0;
DltFcn('BVS_CMD_LINE_WINDOW' :QUSEC);
DltFcn('BVS_APPLICATIONS' :QUSEC);
*inlr = *on;
return;
/end-free
Assuming that the previous program source is stored in member DREGPRD (for Deregister Product) of QRPGLESRC, you can compile the program with CRTBNDRPG DREGPRD and then run the program with CALL DREGPRD.
As mentioned earlier, next month we'll look at more of the details behind the above programs. In future articles, we'll also look at some of the benefits you can pick up by utilizing the User Function Registration APIs within your applications—for instance, that the usage information associated with a user is saved and restored with the user profile when using commands such as SAVSECDTA, RSTUSRPRF, and RSTAUT.
As usual, if you have any API questions, send them to me at This email address is being protected from spambots. You need JavaScript enabled to view it.. I'll see what I can do about answering your burning questions in future columns.
LATEST COMMENTS
MC Press Online