Performance Data Investigator - Authority Requirements

• GRTOBJAUT OBJ(CRTDDMF) OBJTYPE(*ALL) USER(<userprofile>);

• CHGFCNUSG FCNID(QIBM_DB_SECADM) USER(<userprofile>) USAGE(*ALLOWED);
• CHGFCNUSG FCNID(QIBM_DB_SQLADM) USER(<userprofile>) USAGE(*ALLOWED);

If a userid does not have *ALLOBJ authority (for example, User Class *SECOFR authority with *ALLOBJ removed), it needs to be added to these two authorization lists:

1. QPMCCDATA
2. QPMCCFCN

Authority in the Monitor authorization list for System Monitors is required for all users to access System Monitors

If a userid does not have *ALLOBJ authority (for example, User Class *SECOFR authority with *ALLOBJ removed), add the profile to the monitor authorization list:  QNAVMNTR.

To view the data resulting from monitors, a user will also require access to the PDI-specific authorization lists.

For more detail, see: Authority for System Monitors

PDI authority information for user profile

For correct access needed to run PDI or Performance task in the IBM Navigator for i GUI, add a user profile to the authorization lists specific to PDI and the data generated by Collection Services: QPMCCFCN, QPMCCDATA.  If a user profile does not have all object authority, add the profile to the authorization lists. 

Adding a user profile to an authorization list can be done with the IBM Navigator for i GUI interface or through the green screen command line.

New Navigator Function Usage IDs

To access function within the IBM Navigator for i, a user is required to be allowed access through function usage IDs. 

• QIBM_NAV_PDI is for Performance function
• QIBM_NAV_MONITORS is for Monitor function

See Function Usage IDs for more information.

Update Authorization List - Navigator for i:

Figure 1: Open Authorization Lists under Security

Figure 2: Filter for QPMC to see the two lists

Figure 3:  For one of the two authorization lists, select Actions-> Permissions to view and edit the list.

< future availability>

Figure 4: Select Add button to put in a new user profile.

< future availability>

Figure 5: Under Specify type in user profile, or select from list.

< future availability>

Figure 6: Select Ok or Apply to complete add

Update Authorization list - Green Screen Commands:

Use the EDTAUTL command on the i:

1. EDTAUTL AUTL(<authorization list>)  
2. Click F6 for Add new user
3. <usrprf> *ALL

> ADDAUTLE AUTL(QPMCCDATA) USER(<usrprf>) AUT(*ALL)
> ADDAUTLE AUTL(QPMCCFCN) USER(<usrprf>) AUT(*ALL)

> ADDAUTLE autle(QNAVMNTR) user(<usrprf>) AUT(*ALL) [use QINAVMNTR for heritage Navigator]

Note:  The authorization lists allow access to the database files and CS commands like CFGPFRCOL and CRTPFRDTA.  

*MGTCOL objects are *EXCLUDE for public but there is a special user profile that is shipped with the OS named QCOLSRV that can access the *MGTCOLs as well as the database files and CS commands.  Any other user would need *ALLOBJ authority to gain access to the *MGTCOLs.

Use Job Watcher and Disk Watcher performance on the web interfaces to create definitions and start and stop JW & DW. 

To use Job Watcher and Disk Watcher commands

• Requires service (*SERVICE) special authority, or be authorized to the Job Watcher or Disk Watcher function of the operating system.

  • Two options:

    1- Change User Profile to add *SERVICE authority to create Job Watcher & Disk Watcher Definitions or to Start Job Watcher and Disk Watcher.

    2- Change Function Usage (CHGFCNUSG) command, with a function ID of QIBM_SERVICE_JOB_WATCHER or QIBM_SERVICE_DISK_WATCHER, can be used to change the list of users that are allowed to use this command.

    CHGFCNUSG FCNID(QIBM_SERVICE_JOB_WATCHER) USER(<usrprofile>) USAGE(*ALLOWED)

    CHGFCNUSG FCNID(QIBM_SERVICE_DISK_WATCHER) USER(<usrprofile>) USAGE(*ALLOWED)

    To read more on Function Usage IDs, see this article: IBM Navigator for i function usage IDs

• Requires execute (*EXECUTE) authority to the library specified in the Library parameter (default QPFRDATA).
• Requires authority to see the definitions for JW & DW shipped public *EXCLUDE:
  • To see the definitions shipped in Disk Watcher, users require authority to QAPYDWDFN file in QSYS 
  • To see the definitions shipped in Job Watcher, users require authority to the QAPYJWDFN file in QSYS (OR QUSRSYS)

CS requires user profile to have *JOBCTL special authority to Cycle Collection Services and Configure Collection services.

PDI has perspectives to view PEX TPROF data.

To use PEX you must have *SERVICE special authority, or be authorized to the Service Trace function of the operating system.

Change Function Usage (CHGFCNUSG) command, with a function ID of QIBM_SERVICE_TRACE, can be used to change the list of users that are allowed to perform trace operations.

CHGFCNUSG FCNID(QIBM_SERVICE_TRACE) USER(<usrprofile>) USAGE(*ALLOWED)

The PEX commands are shipped with public *EXCLUDE authority.

The following user profiles have private authorities to use the command:  QPGMR, QSRV

1) No collections:  The following are all symptoms of an authority issue to the collection or executing SQL to access the collections list:

• Empty collections list or library drop-down
• The manage collections list is empty
• The launch to a chart does not happen when a perspective and collection are selected

Check the following after completing the authorization steps listed: 

• Verify that you can see the entries in the table, RunSQLScripts (from Access Client Solutions - ACS): > SELECT * FROM QUSRSYS.QAPMCCCNTB
•  Is there an exit point registered that blocks the connection to the as400 toolbox?  Use command WRKREGINF to find out.
• If an exit program to restrict the running of SQL for user profiles is set up, it prevents PDI from running.  Users who use PDI must have ability to run SQL to access the collections.
• Check with WRKREGINF to get a list of the registered exit points.  The registered exit points may not specifically stop the query from STRSQL, but it could block the SQL from coming through the port.  To verify that you have access to the required table, enter the following in RunSQLScripts: SELECT * FROM QUSRSYS.QAPMCCCNTB
  • Exit programs defined for these exit points can affect PDI or monitors:  
    • QIBM_QZDA_INIT
    • QIBM_QZRC_RMT
    • QIBM_QZHQ_DATA_QUEUE
• Try different user profiles:  QSECOFR, QPGMR, to see whether they work.  If they do, but your profile does not, it could be affecting user profile created since a registered exit point was added.  The exit point can disable the SQL function for network security measures on IDs created after that time but might not affect all (created earlier).

2) No perspectives: If you cannot see any perspectives on the left navigation or when you select Investigate Data, it is most likely an authority issue for the PML directory where the perspectives are defined.  After you complete the authorization steps listed, check these items:

• Make sure all IBM i Access servers are running Network -> Servers -> IBM i Access Servers
• Is Collection Services running on the system?  Are there active or stopped collections in QMPGDATA?  Have the customer show the drop-down for the Collection Library and Collection Name on the Investigate Data panel.
• Run areVerify on the system being targeted
  The following command network health checker (ARE) covers the FQDN and DNS availability checks:
      /QIBM/ProdData/OS/OSGi/templates/bin/areVerify.sh -network
  Specifically, look for the interface defined for the loopback.
• Check for bad DNS and other performance improvements:  Improving IBM Navigator for i Performance
  • Note that much of this is outdated, since it was originally written for the heritage Navigator.