As you study the historical data, add, change, and delete user rules to respond to the access requirements of your organization. Continue to monitor reports and become more familiar with the authorized activity.
At this point it is time to add rules to allow authorized user(s) access at the SERVER level (setting the Audit value to Yes or No based on your auditing requirements). This is done in preparation for public lockdown, where the default (*PUBLIC) rules are set to reject (*REJECT), and all users who are not specifically granted access to them will be locked out. Earlier, under Adding the Initial Rule Set, we already blocked access to the FTPREXEC server for all users. Now, we can create a rule that grants access to that server for specific users only, while all other requests will continue to be rejected.
Granting authorized access at the SERVER level
Authorizing a user access at the SERVER level - web browser
- On the Rules Screen, click Add.
- Select the following values:
- Rule Type=User/User Groups
- User=MARKJ (the user who requires access)
- Server > Function=*FTPSERVER > *ALL (this rule applies to all server functions)
- Authority=*OS400 (uses the authorities granted by the system)
- Audit=Yes (audit (this value will depend on your requirements))
- Message=Inherit (inherit global system value (default=NO))
- Capture=Inherit (inherit global system value (default=NO))
- Choose Save. The rule has been added. Rules for specific user profiles (or group profiles) are processed before *PUBLIC in the hierarchy, and allow you to grant access to specific users while blocking all others.
- Repeat this procedure for all other servers the authorized user requires. Then, repeat the process for all other authorized users, until all users have access to the servers they require.
Authorizing a user access at the SERVER level - green screen
- From the Main Menu, choose 1, Work with Security by Server.
- Type UA next to the server you would like to grant access to. The existing rules for that server appear. For this example, we will be granting MARKJ access to the FTP server (*FTPSERVER).
- Press F6 to create a new rule.
- Enter the following values:
- User Rule Type=U for an individual user (you would choose G for a User Group).
- User=MARKJ (the user who requires access)
- Server=*FTPSERVER
- Function=*ALL (this rule applies to all server functions)
- Authority=*OS400 (uses the authorities granted by the system)
- Switch Profile=*NONE (do not switch user profiles)
- Audit=Y (audit (this value will depend on your requirements))
- Message=* (inherit global system value (default=N))
Capture=* (inherit global system value (default=N))
Rules for specific user profiles (or group profiles) are processed before *PUBLIC in the hierarchy, and allow you to grant access to specific users while blocking all others.
- Press Enter. The rule has been added. (Remember, the rule will take effect once the server cache is cleared).
- Repeat this procedure for all other servers the authorized user requires. Then, repeat the process for all other authorized users, until all users have access to the servers they require.
Changing and Deleting Profile Rules
As employees depart the company, or move to other roles, it is helpful to develop internal procedures to notify the Exit Point Manager product administrator a user has left, or has changed roles. If individual profile rules are used, their profile should be changed from *OS400 to *REJECT. At some point the profile should be deleted from the product. (If group profiles are used, you would not need to make rule changes in the product, assuming the profile is removed from the system or group.)
Deleting a Rule
- See Insite Web Browser Help for information on deleting rules using Insite.
- To delete a rule on the green screen, use 4 (Delete) on the Work with Security by User panel or Work with Security by Location panel.
Previous 