Adding the Initial Rule Set

In this section you will learn how to add user rules that tell Exit Point Manager to reject access to a server for a specific user, or for all users. You will also learn how to manage service profiles that require access, but do not need to be audited.

Blocking Unused Servers

When you are confident that a server is not being used, you can create a rule to block any possible access. For the following example, we will assume the *FTPREXEC server is not being used and should be blocked.

  1. On the Rules screen, click the *PUBLIC rule for the *FTPREXEC server.
  2. Choose Lookup to the right of the Authority field.
  3. Choose *REJECT.
  4. Ensure Audit is set to Yes.
    NOTE: Whenever a reject rule is put in place it is highly recommended the Audit flag remains set to Yes. In the future, it may be useful to run an audit report showing any rejected access attempts against servers you have blocked. (If you are creating a new rule, set Messages to “Yes” in order to immediately submit a message upon any access attempts that are rejected.)
  5. Choose Save. The *FTPREXEC server has been blocked for all users.

    This rule blocks access to all functions of the *FTPREXEC server for all users.

  1. From the Main Menu, choose option 2, Work with Security by User.
  2. Next to the *FTPREXEC server *PUBLIC (default) user rule, enter 2.
  3. Change the Authority column from *OS400 to *REJECT. (Alternatively, to block a server for a particular user, you would create a new rule, indicating *ALL for Function, the user’s ID for User, and *REJECT for Authority.)
    NOTE: Consider using a message management tool to help alert you of any reject messages.
  4. Ensure Audit is set to Y.
    NOTE: Whenever a reject rule is put in place it is highly recommended the Audit flag remains set to Y. In the future, it may be useful to run an audit report showing any rejected access attempts against servers you have blocked. (If you are creating a new rule, set Message to “Y” in order to immediately submit a message upon any access attempts that are rejected. Set Switch Profile to *NONE).
  5. Press Enter. The *FTPREXEC server has been blocked for all users.
Work with Server User Authorities panel
  1. When the server cache is cleared this rule will take effect. For the rule to be effective immediately, clear the server cache manually. To do so, turn rule enforcement off an on again as follows:
    1. In Work with Security by Server, enter SP for the server (in this case, *FTPREXEC).
    2. Change Exit Point Manager Rules Enforced to N and press Enter.
    3. Turn the  rule enforcement back on - change Exit Point Manager Rules Enforced to Y and press Enter.

Managing Service Profile Activity

In the previous section (Discovery, Data Collection, and Analysis) we learned that PLCM2ADM is an automated service profile that requires access to the system, but does not need to be audited. Its transaction history produces unnecessary data that can be inconvenient to sift through while analyzing reports. Therefore, we can add a rule that grants it access to the server it requires (*DATAQSRV), with auditing turned off.

  • On the Rules screen, choose Add.

Select the following values:

  1. Rule Type = User/User Group
  2. User/User Group=PLCM2ADM (the service profile account ID)
  3. Server > Function=*DATAQSRV and *ALL (this rule applies to all server functions)
  4. Authority=*OS400 (uses the authorities granted by the system)
  5. Audit=No (do not audit)
  6. Message=Inherit (inherit global system value)
  7. Capture=Inherit (inherit global system value)
  8. Choose Save to create the rule.
  1. From the Main Menu, choose 1, Work with Security by Server.
  2. Type UA next to the server used by the service profile (in this case *DATAQSRV) and press Enter.
  3. Enter 3 to copy the *PUBLIC rule.
  4. Enter the following values:
    1. User Rule Type=U for an individual user (you would choose G for a User Group).
    2. User=PLCM2ADM (the service profile account ID)
    3. Server=*DATAQSRV (the chosen server)
    4. Function=*ALL (this rule applies to all server functions - alternatively, you could enter a specific function)
    5. Authority=*OS400 (uses the authorities granted by the system)
    6. Switch Profile=*NONE (do not switch user profiles)
    7. Audit=N (do not audit)
    8. Message=* (inherit global system value (default=N))
    9. Capture=* (inherit global system value (default=N))
  5. Press Enter to create the rule.

If the *PUBLIC rule for this server is set to *REJECT, all access attempts will be rejected. But, since this new rule is more specific, it is evaluated first, allowing PLCM2ADM access while restricting all other users. With this configuration, all access requests will be rejected, except for those originating from the user PLCM2ADM. See Active Rule and Rule Derivation for an explanation of Exit Point Manager’s rule hierarchy.