With IBM Navigator for i, application administration has never been easier.
What's Application Administration? Simply put, Application Administration is a utility that allows you to control functions and applications available to users and groups on IBM i.
There's an IBM i command that's similar to Application Administration in that it allows you to manage many different system components—from specifying which users can get/put via an FTP client to controlling who can manage disk pools via the IBM Navigator for i Web interface or the System i Navigator thick client. In the spirit of modernization, I'm not going to show you how to use that command or even tell you the command name.
What I will show you is how to access Application Administration using IBM Navigator for i so you can manage these applications via the rich graphical Web interface. The IBM Navigator for i method is so much cleaner, easier, and more modern. With that being said...
Let's Roll with the New...
Open a Web browser and go to http://<yoursystem>:2001/ where <yoursystem> is replaced by either your server's IP address (e.g., 192.168.x.x) or its fully qualified address (server.domain.com). Log in using your IBM i user ID and password, ideally with administration authorities to manage all aspects of your system.
Figure 1: Expand IBM i Management and click System.
Figure 2: Click on Application Administration
In the new tab that opens, you'll see that you can manage various applications and functions you want available to users. As with the 5250 command, this should not be relied upon as a sole security mechanism. With that being said, tightening security via this tool is definitely not a bad idea.
Perhaps you have a couple of users with a little more security than they actually need, but you don't want them to be able to access those functions in an easy-to-use graphical tool like IBM Navigator for i or System i Navigator. How do you stop them? Well, you can explicitly exclude them from those functions by customizing Application Administration.
Let's pick something like printer management. Users who have *SPLCTL authority are authorized to view all output queues. Graphical tools like IBM Navigator for i allow you to convert spooled files to PDF automatically, and System i Navigator allows you to drag and drop spooled files to your desktop with ease, simplifying the process for anyone with authority to commit mischief. While re-evaluating the *SPLCTL authority is the best option, perhaps some users need that ability for some reason, but you still want to make it difficult for the user to walk away with PDF or text files of sensitive information.
You can do this by drilling down through System i Navigator to Printer Management, clicking on the double right arrow and choosing customize.
Figure 3: Exclude a user from printer output.
Then you can choose users from the left pane and add them to the Access Denied list on the right. Click OK at the bottom and you're done.
Figure 4: Add users to the Access Denied list.
Another cool, more practical thing to do would be to limit the users allowed to send files to or receive files from IBM i via FTP client. In order to do that, you'd have to click on Host Applications on the left side of the Application Administration screen and drill down to the send/receive FTP options through TCP/IP Utilities. From there, you can customize access to only the profiles you choose.
Figure 5: Secure the FTP options.
Other things you can control are specifying who can view the job log of an *ALLOBJ user, who can run Windows remote command (RMTCMD.exe) program, who can use the Microsoft Excel plug-in to download data, who can run a communications trace (think about any unencrypted traffic you don't want sniffed via an easy-to-use graphical tool), and much, much more. Log in and have a look around.
Once again, Application Administration should not be used as a sole security tool. For the System i Navigator client functions, Application Administration caches restrictions on the client so a person with administrator rights to their computer could manually hack their registry in order to get these functions. Changes to the host-based functions (e.g., FTP) are implemented immediately. This is just another layer of protection that should be paired with a proper security strategy.