Manage Learn to apply best practices and optimize your operations.

Limit access to workstations

How to limit access to workstations.

In any iSeries installation it is important to limit access to workstations. You want to allow authorized users...

to access specific terminal devices, but you want to keep users from logging onto the system from a device where they should not be working. OS/400 security provides you with an easy way to do this.

To limit the users who can sign on at a workstation, set the public authority for the workstation device description to "*EXCLUDE" and give "*CHANGE" authority to specific users or group profiles. In this case, it may be important for you to have group profiles activated, as this will simplify administration of this feature. This will only work if you have the QSECURITY system value set to 30 or higher. (If you are at level 20, you have too many security exposures already to be concerned about this feature.) For shops with network access, it will be important that you not use the default QPADEVnnnn device names. You can eliminate this by setting the system value QAUTOVRT to zero. Then, for each user logging in through Client Access/400 (or equivalent) you will have to establish a specific device name at each location. These are the device descriptions that can then be used to limit the users who can use them. If you have to convert over to specifically named workstations, make sure that you go back and remove the QPADEVnnnn device descriptions once you are all done.

The security officer (QSECOFR) is not allowed to use any specific devices. If the QLMTSECOFR system value is set to 1, then you must give the security officer *CHANGE authority to devices. Anyone with *OBJMGT and *CHANGE authority to a device can give *CHANGE authority to another user. This is important if you want to allow QSECOFR to logon to your system from any device once this area has been locked down. If you want to limit where QSECOFR can sign on, make sure that you do grant permission for the security officer profile to at least one device plus your system console.

If you lock down your workstation devices by specific user profile, you will have an administrative task when there is staff turnover. To change ownership of a device, the device must be powered on and varied on. Sign on at the device and change the ownership using the CHGOBJOWN command. If you want to change authority when you are not logged onto that device, you must allocate the device before changing ownership. Use the Allocate Object (ALCOBJ) command, but only when no one is using it. After you have changed ownership, be certain to deallocate the device using the Deallocate Object (DLCOBJ) command.

Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, NY. The company is a provider of various security products for the AS/400 market.


The Best Web Links: Tips, tutorials and more.'s targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Read this Featured Topic: Secure your iSeries

Dig Deeper on iSeries system and application security