IBM Support

Authority

News


Abstract

Authority requirements for using Performance Data Investigator

Content

Authority Topics:

A user is required to have authority to the database files and members used in Performance Data Investigator

If a userid does not have *ALLOBJ authority (for example, User Class *SECOFR authority with *ALLOBJ removed), it will need to be added to these two authorization lists:

  1. QPMCCDATA
  2. QPMCCFCN

A user is required to have authority in the Monitor authorization list for System Monitors

If a userid does not have *ALLOBJ authority (for example, User Class *SECOFR authority with *ALLOBJ removed), add the profile to the QINAVMNTR authorization list.

For more detail, see: Authority for Navigator System Monitors

PDI authority information for user profile

For correct access needed to run PDI or Performance task in the IBM Navigator for i GUI, add a user profile to both authorization lists: QPMCCFCN and QPMCCDATA.  If a user profile does not have all object authority, add the profile to the authorization lists. 

Adding a user profile to an authorization list can be done with the IBM Navigator for i GUI interface or through the green screen command line. For the steps to add a user profile to an authorization list, see Adding a User Profile in Authority for Navigator System Monitors

Set object authority to *ALL.

 

Note:  The authorization lists allow access to the database files and CS commands like CFGPFRCOL and CRTPFRDTA.  

*MGTCOL objects are *EXCLUDE for public but there is a special user profile that is shipped with the OS named QCOLSRV that can access the *MGTCOLs as well as the database files and CS commands.  Any other user would need *ALLOBJ authority to gain access to the *MGTCOLs.



Job Watcher and Disk Watcher

Use Job Watcher and Disk Watcher performance on the web interfaces to create definitions and start and stop JW & DW. 

To use Job Watcher and Disk Watcher commands, you must

  • Have service (*SERVICE) special authority, or be authorized to the Job Watcher or Disk Watcher function of the operating system.
    • Two options:

      1- Change User Profile to add *SERVICE authority to create Job Watcher & Disk Watcher Definitions or to Start Job Watcher and Disk Watcher.

      2- Change Function Usage (CHGFCNUSG) command, with a function ID of QIBM_SERVICE_JOB_WATCHER or QIBM_SERVICE_DISK_WATCHER, can be used to change the list of users that are allowed to use this command.

      CHGFCNUSG FCNID(QIBM_SERVICE_JOB_WATCHER) USER(<usrprofile>) USAGE(*ALLOWED)

      CHGFCNUSG FCNID(QIBM_SERVICE_DISK_WATCHER) USER(<usrprofile>) USAGE(*ALLOWED)

      To read more on Function Usage IDs, see this article: IBM i function usage IDs

  • Have execute (*EXECUTE) authority to the library specified in the Library parameter (default QPFRDATA).
  • Have authority to see the definitions for JW & DW shipped public *EXCLUDE:
    • To see the definitions shipped in Disk Watcher, users require authority to QAPYDWDFN file in QSYS 
    • To see the definitions shipped in Job Watcher, users require authority to the QAPYJWDFN file in QSYS (OR QUSRSYS)

Collection Services - Configure & Cycle requires *JOBCTL authority

CS requires user profile to have *JOBCTL special authority to Cycle Collection Services and Configure Collection services.


Performance Explorer (PEX)

PDI has perspectives to view PEX TPROF data.

To use PEX you must have *SERVICE special authority, or be authorized to the Service Trace function of the operating system.

Change Function Usage (CHGFCNUSG) command, with a function ID of QIBM_SERVICE_TRACE, can be used to change the list of users that are allowed to perform trace operations.

CHGFCNUSG FCNID(QIBM_SERVICE_TRACE) USER(<usrprofile>) USAGE(*ALLOWED)

The PEX commands are shipped with public *EXCLUDE authority.

The following user profiles have private authorities to use the command:  QPGMR, QSRV

 

Authority Problems

1) No collections:  The following are all symptoms of an authority issue to the collection or executing SQL to access the collections list:

  • collections or library drop-down are empty when selecting a collection for a perspective
  • the manage collections list is empty
  • the launch to a chart does not happen when a perspective and collection are selected

After completing the authorization steps listed first, check the following:

  • Verify that you can see the entries in the table, RunSQLScripts (from Access Client Solutions - ACS): > SELECT * FROM QUSRSYS.QAPMCCCNTB
  •  Is there an exit point registered that blocks the connection to the as400 toolbox?  Use command WRKREGINF to find out.
  • If an exit program to restrict the running of SQL for user profiles is set up, it will prevent PDI from running.  Users who use PDI must have ability to run SQL to access the collections.
  • Check with WRKREGINF to get a list of the registered exit points.  The registered exit points may not specifically stop the query from STRSQL, but it could block the SQL from coming through the port.  To verify that you have access to the required table, enter the following in RunSQLScripts: SELECT * FROM QUSRSYS.QAPMCCCNTB
    • Exit programs defined for these exit points can affect PDI or monitors:  
      • QIBM_QZDA_INIT
      • QIBM_QZRC_RMT
      • QIBM_QZHQ_DATA_QUEUE
  • Try different user profiles:  QSECOFR, QPGMR, to see whether they work.  If they do, but your profile does not, it could be affecting user profile created since a registered exit point was added.  The exit point may disable the SQL function for network security measures on IDs created after that time but might not affect all (created earlier).

2) No perspectives: If you cannot see any perspectives on the left navigation or when you select Investigate Data, it is most likely an authority issue for the PML directory where the perspectives are defined.  When you have completed the authorization steps listed first, then check these items:

  • Make sure all IBM i Access servers are running Network -> Servers -> IBM i Access Servers
  • Is Collection Services running on the system?  Are there active or stopped collections in QMPGDATA?  Have the customer show the drop-down for the Collection Library and Collection Name on the Investigate Data panel.
  • Run areVerify on the system being targeted
    The following command network health checker (ARE) covers the FQDN and DNS availability checks:
        /QIBM/ProdData/OS/OSGi/templates/bin/areVerify.sh -network
    Specifically, look for the interface defined for the loopback.
  • Check for bad DNS and other performance improvements:  Improving IBM Navigator for i Performance
3) Cannot select a perspective: If a valid collection is selected but selecting a perspective does not display a chart, check the following:
  • The can only be launched when a perspective is selected and a valid collection for that perspective is also selected.  It requires two choices. Verify that these are both being done.  
  • If there are no collections being shown in the drop-down menu, check that collections are shown the Management Collections table.  If any expected collections are missing, Rebuild Collections Table.  This is due to not using *PFRCOL commands to move, restore, or copy collections.
  • Verify user profile authority as listed first on this page.
  • The selected perspective must be valid for the collection selected:  Verify that the members exist for that collection in each of the required files.  Start with: "CPU Utilization & Waits Overview" requires QAPMISUM & QAPMSYSTEM.  The Perspective link is active if those files exist for the collection selected.
  • Check whether anything in Collection Services Database Files can be viewed.  Start with QAPMSYSTEM.
  • Possibly out of sync data.  Log out of IBM Navigator for i and log back in.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
15 September 2021

UID

ibm11127067