Edit Default System
The settings on this page allow Powertech Multi-Factor Authentication administrators to configure the default action to perform (allow or deny) for IBM i user profiles not allocated to an Powertech Multi-Factor Authentication user on systems that authentication is enabled on.
Upon signing on to a system secured by Powertech Multi-Factor Authentication with a user profile not attached to an Powertech Multi-Factor Authentication user, Powertech Multi-Factor Authentication first consults the settings for that system in its Edit System screen. If 'Use Agent Defaults' is set to On, or the user profile is otherwise allowed by the individual system's settings, Powertech Multi-Factor Authentication defers to the settings on this screen.
Administrators can then allow or deny access for individual new user profiles as exceptions to the default action.
This page also allows administrators to change the default authentication status (enabled or disabled) for each exit point.
How to Get There
In the Navigation Pane, choose Agents, then Systems Defaults.
Options
Default Unassigned Profile Action: Deny users access • Allow users access
Choose 'Deny users access' to reject login attempts by IBM i user profiles unfamiliar to Powertech Multi-Factor Authentication. Choose 'Allow users access' to grant access to user profiles unfamiliar to Powertech Multi-Factor Authentication. Unassigned users that have been granted access will inherit the user settings of the Default Group. See Users screen.
Unassigned Profile Action
If any of the profiles in this list come through one of the system's exit points, and Powertech Multi-Factor Authentication can't find an Powertech Multi-Factor Authentication user attached to that profile to challenge for authentication, Powertech Multi-Factor Authentication will check the Unassigned Profile Action setting for that user profile. If it is set to Allow, the user will not be challenged with an authentication request and will be permitted to sign on. If the user is set to Deny, they will be denied access.
Add Profile • Remove
Click Add Profile to open the Select Profiles screen, where you can choose a profile on the selected system. Select a user and click Remove to remove that user from the list.
[profile list]; Deny • Allow
Choose 'Deny' from the drop-down list adjacent to a user to reject login attempts by that user. Choose 'Allow' to grant access to the adjacent user.
Authentication Suppression
This parameter controls authentication suppression globally. Authentication suppression reduces the number of times authentication is required.
Authentication Suppression (minutes)
Specify the period of time, in minutes, authentication will be suppressed for each IBM i interactive session. After an initial authentication request, the user will not receive additional authentication requests during that session until the time period has expired. This is the global setting. This setting can be overridden for systems individually using the Edit System page.
Exit Points; Activate • Deactivate
Check the exit points you would like to activate or deactivate. Whether the exit point is set to activated or deactivated initially depends on the system's default settings when added to Powertech Multi-Factor Authentication. Powertech Multi-Factor Authentication supports the following exit points:
- DDM/DRDA Server
- Database Svr-Initiation
- FTP Server Logon
- FTP Server Requests
- File Server
- REXEC Server Logon
- Remote Command
- Retrieve command exit programs
- TCP Signon Server
Click Activate to secure them with Powertech Multi-Factor Authentication. Click Deactivate to stop securing them with Powertech Multi-Factor Authentication.
For example, if the system is enabled, and you set an exit point to Deactivate and click Save, Powertech Multi-Factor Authentication sends a message to deregister the exit point program with Powertech Multi-Factor Authentication. If the system is not currently enabled in Powertech Multi-Factor Authentication, and this setting is changed, the setting is stored in the database so that when the system is enabled within Powertech Multi-Factor Authentication, Powertech Multi-Factor Authentication will apply the activate/deactivate setting as appropriate, and register/deregister the exit point program accordingly.
ENDSBS SBS(QSERVER)
STRSBS SBSD(QSERVER)
If after restarting the subsystem authentication still does not function properly, also restart the QUSRWRK subsystem:
ENDSBS SBS(QUSRWRK)
STRSBS SBSD(QUSRWRK)