Home > AS/400 Tips > iSeries security tips > Controlling access to workstations

	iSeries 400 Tips:	EMAIL THIS

	TIPS & NEWSLETTERS TOPICS

	ISERIES SECURITY TIPS Controlling access to workstations Rich Loeber 07.12.2005 Rating: -4.80- (out of 5) Digg This!     StumbleUpon     Del.icio.us    If you have a medium sized or larger iSeries installation, you've probably had the question raised about how you can prevent unauthorized use of specific workstations on your system. The idea is someone who is authorized to use your system should not be allowed to sign onto the system from just any workstation device. Obviously, you don't want that limitation to apply to system support staff people, but users who are doing routine clerical tasks should be limited, under normal conditions, to their own departmental workstation devices. A typical situation raised is the specter of a warehouse shop floor stooge signing onto the system in the accounts payable department, although this may unfairly characterize warehouse workers. For starters, there are some system values you want to set to provide you with a controllable environment. Check the setting for the "Autoconfigure Devices" (QAUTOCFG) value. To prevent new devices from being configured without your control, that should be set off (zero). You should also change the "Autoconfigure Virtual Devices" (QAUTOVRT) value to zero to prevent any new virtual devices from getting created. If your system is set up so many users end up with device session names that start with QPADEVxxxx, then that is an issue for your installation. [TABLE]			[IMAGE]

Before setting those values as recommended, you will have to identify the workstations where the QPADEVxxxx device names are being used and reconfigure the terminal emulation to specify a device name. In iSeries Access, the QPADEVxxxx will be used when the workstation ID has been left blank. To control who can use each workstation, each workstation must have a known and permanent workstation ID value assigned to it. If you make the above system value changes without any preparation, you're asking for

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment iSeries physical security Time for a security checkup for your i Recovering your AS/400 security configuration A guide to System i security, part 2: Landing and establishing access A guide to System i security: Descending into the heart of darkness of IT security Learning guide: Steps to a secure System i Securing printed output 12 security tips in 12 minutes Are all of your System i (iSeries) doors closed? -- part 1 Can you trust all those trigger programs? Learning guide: Simple steps to a secure iSeries

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

a lot of angry phone calls. Once that has been changed, it would be a good idea to go through your system and remove all of the QPADEVxxxx devices that have already been automatically configured so that they cannot be used again.

Once each workstation has its own name, you can then move to control the users who can use different workstation devices. Workstation devices are created in the QSYS library on your system with an object type of *DEVD. When a new workstation device is created, the public access for that device normally defaults to *CHANGE. To limit who can use a device, just change that to any lower setting, such as *USE or even *EXCLUDE. Then, specifically authorize the user profiles that can legitimately use the workstation. You can do this by individual user profile or, better yet, by group profile. You should also seriously consider using an authorization list since that will let you make security changes to the device while it is in use. Authorizing the user profile or group to the *CHANGE level will then grant access to the user or group of users to the workstation.

There are some exceptions to how this works that you should be aware of. For example, if your system overall security setting (system value QSECURITY) is lower than 30, then this won't work. If that's the case, you've got more serious security issues and should not even be reading this. If the user profile logging on has special authority of *ALLOBJ, then they will be allowed to use the device even without specific authority being granted. That can work to your advantage if your support staff needs access to all devices, but you need to be careful about *ALLOBJ authority being granted too widely.

If you have any questions about this topic, you can reach me at rich@kisco.com, I'll give it my best shot. All e-mail messages will be answered.

---------------------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc.s in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.