Manage Learn to apply best practices and optimize your operations.

Controlling access to workstations

How to restrict workstation access with iSeries security and authorization.

If you have a medium sized or larger iSeries installation, you've probably had the question raised about how you can prevent unauthorized use of specific workstations on your system. The idea is someone who is authorized to use your system should not be allowed to sign onto the system from just any workstation device. Obviously, you don't want that limitation to apply to system support staff people, but users who are doing routine clerical tasks should be limited, under normal conditions, to their own departmental workstation devices. A typical situation raised is the specter of a warehouse shop floor stooge signing onto the system in the accounts payable department, although this may unfairly characterize warehouse workers.

For starters, there are some system values you want to set to provide you with a controllable environment. Check the setting for the "Autoconfigure Devices" (QAUTOCFG) value. To prevent new devices from being configured without your control, that should be set off (zero). You should also change the "Autoconfigure Virtual Devices" (QAUTOVRT) value to zero to prevent any new virtual devices from getting created. If your system is set up so many users end up with device session names that start with QPADEVxxxx, then that is an issue for your installation.

More Information

Before setting those values as recommended, you will have to identify the workstations where the QPADEVxxxx device names are being used and reconfigure the terminal emulation to specify a device name. In iSeries Access, the QPADEVxxxx will be used when the workstation ID has been left blank. To control who can use each workstation, each workstation must have a known and permanent workstation ID value assigned to it. If you make the above system value changes without any preparation, you're asking for a lot of angry phone calls. Once that has been changed, it would be a good idea to go through your system and remove all of the QPADEVxxxx devices that have already been automatically configured so that they cannot be used again.

Once each workstation has its own name, you can then move to control the users who can use different workstation devices. Workstation devices are created in the QSYS library on your system with an object type of *DEVD. When a new workstation device is created, the public access for that device normally defaults to *CHANGE. To limit who can use a device, just change that to any lower setting, such as *USE or even *EXCLUDE. Then, specifically authorize the user profiles that can legitimately use the workstation. You can do this by individual user profile or, better yet, by group profile. You should also seriously consider using an authorization list since that will let you make security changes to the device while it is in use. Authorizing the user profile or group to the *CHANGE level will then grant access to the user or group of users to the workstation.

There are some exceptions to how this works that you should be aware of. For example, if your system overall security setting (system value QSECURITY) is lower than 30, then this won't work. If that's the case, you've got more serious security issues and should not even be reading this. If the user profile logging on has special authority of *ALLOBJ, then they will be allowed to use the device even without specific authority being granted. That can work to your advantage if your support staff needs access to all devices, but you need to be careful about *ALLOBJ authority being granted too widely.

If you have any questions about this topic, you can reach me at, I'll give it my best shot. All e-mail messages will be answered.

About the author: Rich Loeber is president of Kisco Information Systems Inc.s in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Dig Deeper on iSeries physical security