Hit enter to search

The New Navigator For i

Author Avatar
Rudi van Helvoirt

The log4j issue was all over the news back in December 2021, one of its victims is the now called Heritage Navigator for i. IBM did publish a document titled: Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x) When looking at this document you will find a section called “Workarounds and Mitigations”, in there you can read the following:

IBM Navigator for i - heritage version uses log4j v1.x and cannot be updated to log4j v2.x or be removed from use.  Customers can mitigate the CVE by discontinuing the use of the heritage version of IBM Navigator for i.

In this document you will find the instruction for what needs to be done to shut down the heritage version of Navigator for i and because of log4j it is time to send it into retirement. The king is dead, so long live the new king, but before you start using the New Navigator for i (Nav4i), you better start by first looking at the function usage for Nav4i first. Below a definition found on IBM's website:

Function usage provides the ability to implement granular security controls rather than granting users powerful special authorities such as all object, job control, or service. This article review all the function usage IDs that are available and their purpose. 

To get a better idea what it is, the image shown below might ring a bell:

IBM navigator for i - image 1 text

What you are seeing may bring back memories from iSeries Navigator for i, the tree structure did look exactly the same. As the heritage Navigator for i started by default, the column “Default Access” check box will give a user with no extra authority the possibility to signor to the heritage Navigator for i and have a look at all the user profiles present on the system.

By default, all the boxes for “Default Access” are checked, so most system administrators have made adjustments in that area and will only allow access to users with *ALLOBJ authority.
Back in the time when iSeries Navigator for i was replaced by IBM Systems Director Navigator for i, the predecessor of the heritage Navigator for i, you might think the new Nav4i is using the same Usage Functions.
I hate to spoil the surprise, but that is not the
case. For the new Nav4i IBM did start with new Functions. In order to find out what their names are, please have a look at the image below, where you can see how to maintain them:

New-navigator-for-i---image-2-text

 

When selecting the option “Function Usage” the Db2 for i service QSYS2.FUNCTION_INFO is executed, showing you:

new-navigator-for-i---image-3-text

All the Function IDs with “NAV” in their name are the new functions made available to control the availability of functions within the new Nav4i. When using the filter function as shown below you will see that the numbers match:

New-navigator-for-i---image-4-text

Well, not exactly. The number of icons on the left is higher, but if you leave the one on top and the last two out, the number is 11. The number on display is 12. The difference is made by the Function ID: “QIBM_NAV_ALL_FUNCTION” with the description: “USE OF IBM NAVIGATOR FOR i FUNCTIONS”. Which does make sense, as that Function ID will give you control over what other users are seeing. When hovering over a line after having selected it, the option “Change” will pop up:

new-navigator-for-i---image-5-text

When selecting it, your screen will look like this:

new-navigator-for-i---image-6-text

As a system administrator, it is your task to grant the right users access to what they need to do their job. I do not think it needs an explanation to remove the default authority for users without *ALLOBJ authority. Even removing the authority for users with *ALLOBJ might be a good idea, if your application comes with a user with *ALLOBJ which is used by the application manager. So who do you grant and who do you deny access is always the question. As always, the answer is: It depends.

The good thing is that as long as you do not remove yourself from the Product ID “ QIBM_NAV_ALL_FUNCTION” to have the option to correct yourself. If you make the error to lock yourself out, you can still correct that using 5250 emulation with the command: “WRKFCNUSG FCNID(QIBM_NAV_ALL_FUNCTION)”.      

After denying a user access for a Function ID, a user can still hover over the icon and see all the option available, but when selecting one of them the window shown below will pop up:

new-navigator-for-i---image-7-text

After going through all Product ID's and having set the access for new Nav4i according to your wishes. You are ready to go and start using the new Nav4i and soon you will have forgotten all about the heritage Navigator for i. Why? Well, because the new Nav4i is so much better. Yes, it is that simple.

 

Current job openings

We are constantly looking for new colleagues!

If you share our values and you're looking for a challenging job in Belgium's Best Workplace, visit our website.

Apply now

Get our top stories in your inbox every month

Follow us

  

Share this article