As IBM i environments evolve to connect with web, cloud, and third-party systems, organizations face a growing challenge: how to open access without losing control. Traditional IBM i authorization models - built on user profiles, object authorities, and authorization lists - remain among the most secure in enterprise computing. However, they were never designed to handle today’s interconnected world of APIs, mobile clients, and browser-based applications.

The Authorization & Security feature in the Sitemule Platform bridges this gap. It merges IBM i’s native security model with a modern, granular, role-based directory that governs access for both IBM i users and those connecting from external systems. The result is a unified security layer that preserves IBM i integrity while extending its reach to a broader digital ecosystem.

Architecture and Core Design Principles

Architecture

The Authorization & Security subsystem is integrated directly into the Platform runtime, operating natively on IBM i. It interfaces with the system’s existing security infrastructure - user profiles, group profiles, and object authorities - while introducing an additional directory service that defines fine-grained roles, permissions, and cross-platform access rules. These roles are stored in Db2 for i and referenced by all Platform modules through a shared security API.

Design Rationale

The primary design goal is to unify legacy and modern access models under one consistent policy engine. Rather than replacing IBM i security, the Platform augments it - adding an application-layer authorization structure capable of handling web requests, API calls, and GUI sessions. This approach ensures that IBM i’s proven security remains the ultimate authority, while the Platform enforces contextual access control above it.

Data Flow

When a user authenticates - whether from the Portfolio web interface, a REST endpoint, or an integrated third-party tool - the Platform first validates credentials against the IBM i security registry. Once confirmed, the system associates the user with one or more Platform roles, determining which applications, datasets, and functions are available. Every subsequent request is passed through the same layered authorization logic: first IBM i object-level checks, then Platform-level role validation. The dual enforcement guarantees that even external users operate within IBM i’s secure framework.

Integration within Sitemule Platform

Within the Sitemule Platform, Authorization & Security functions as a foundational service that all modules depend on. The Portfolio interface uses it to filter visible applications, data grids, and management consoles based on a user’s role. Workspace, which delivers modern web interfaces for 5250 programs, applies the same rules to determine which modernized screens or actions a user may access. Hub and Architect rely on the same central service when exposing APIs or generating data-driven applications.

The authorization engine communicates with these modules via the Platform’s internal API bus. When a user invokes an operation - such as executing a query or calling a service - the module forwards the request to the authorization subsystem for validation. This integration ensures consistency across the ecosystem: a single user identity and permission model applies equally to RPG-driven back-end logic, SQL data services, and browser-based clients.

“Security should never be the trade-off for modernization. With Sitemule Platform, we extended IBM i access securely - without rewriting a single policy or weakening control.”

Technical Benefits and Performance

Performance

Operating entirely on IBM i, the authorization process introduces negligible latency. Since both authentication and role resolution occur within the same job context, there are no network calls to external identity providers or token servers. This local execution allows sub-millisecond verification during high-frequency API transactions or user interactions.

Scalability

The Platform’s role directory supports hierarchical role inheritance and group mappings, making it efficient for large enterprise deployments. It scales horizontally through IBM i job pools, allowing thousands of concurrent sessions without bottlenecks. The authorization cache minimizes repeated lookups by storing recent access results in memory.

Maintainability

All access policies are stored in Db2 tables and can be modified through the Platform’s administration interface. This means administrators can adjust permissions dynamically - adding new roles, linking external users, or adjusting service rights - without recompiling code or restarting services. Because the rules coexist with IBM i’s native security, audit and compliance remain straightforward.

Auditability

Every authentication event, failed login, or access attempt is logged through IBM i journaling and mirrored in the Platform’s audit tables. Administrators can review logs in Portfolio or export them for compliance reporting, ensuring full traceability for internal and external auditors.

Compatibility and Interoperability

The Authorization & Security feature was designed for full compatibility with IBM i standards. It uses IBM i’s user profiles and authorization lists (AUTL) as the primary layer of control, ensuring that core access rules remain intact. Above that, the Platform adds a web-aware authorization tier supporting modern concepts such as JSON Web Tokens (JWT) and OAuth 2.0 for API access.

A developer building a REST service, for example, can expose it via the Platform runtime. Incoming HTTP requests carry tokens that identify the caller. The runtime verifies these tokens, maps them to Platform roles, and then applies both the application’s and IBM i’s native permissions before executing the underlying RPG or SQL logic. This seamless bridging allows developers to connect Db2 data or IBM i business logic directly to third-party systems - CRMs, cloud analytics, or partner platforms - without compromising security.

Because authorization is centralized, even non-IBM i users (for example, a supplier accessing inventory data through Hub) can authenticate through the Platform’s directory. Their actions are still governed by IBM i’s security context, giving organizations granular control over every external interaction.

Use case

A logistics provider running a legacy ERP on IBM i needed to expose shipment tracking and order management capabilities to external partners. Security was the primary barrier; the company could not risk opening direct access to its IBM i environment.

By deploying Sitemule Platform with its Authorization & Security feature, the provider implemented a role-based access model. External partners were granted “Partner” roles in the Platform directory, limiting them to specific API endpoints. Internally, IBM i authentication governed all object access and transaction handling. Within two months, partners were using the system through secure web interfaces, while the IBM i operations team retained full visibility and control. The solution reduced manual updates and email exchanges by 70 %, all while maintaining the system’s original security guarantees.

Extend IBM i Security Without Sacrificing Control

The Authorization & Security framework works in tandem with Native IBM i Integration, which ensures all execution occurs within the IBM i environment. It also complements Monitoring & Alerting, using the same role-based controls to define who can access system metrics or receive notifications.

By combining IBM i’s trusted security foundation with modern, role-based authorization, the Sitemule Platform delivers the flexibility of a web-era access model without sacrificing control. It allows organizations to extend IBM i securely into the digital ecosystem, enabling collaboration, automation, and data sharing under one consistent security framework.