Switch Profiles

Exit Point Manager's Switch Profiles function allows you to customize Exit Point Manager authorizations for network access requests.

For example, you might use switch profiles in the following situation:

User POWERUSER initiates an incoming FTP request. The POWERUSER profile normally has IBM i authority to change or delete almost any file on the system, and to run most commands using the FTP RMTCMD facility. Because you want to limit the ability of POWERUSER to run FTP requests, you tell Exit Point Manager to switch to another user ID, called READONLY, whenever POWERUSER runs FTP. The READONLY user ID has *USE authority to IBM i files, allowing read-only access to the files, preventing POWERUSER from making any file modifications.

  1. On the Exit Point Manager Main Menu, select option 1 to display the Work with Security by Server panel.
  2. On the Work with Security by Server panel, enter UA (Edit User Authority) to display the Work with Security by User panel. (You also can enter FN, Work with Functions, or LA, Edit Location Authority, to work with server functions or locations.)
  3. On the Work with Security by User panel, specify a Switch Profile to use for a User rule. To create a new user rule, complete the first blank line. The switch profile you enter must be an active profile residing on the system.
    NOTE: The administrator specifying the switch profile must have at least *USE authority to the profile.

For *FTPSERVER *ALL functions run by user JDAVIS, Exit Point Manager will switch the request to run under the READONLY user profile

If you want to switch to a different user profile only for a particular server function, such as SENDFILE (PUT), you can specify the switch profile for just that function.

  1. On the Work with Security by Server panel, enter FN next to the server to display the Work with Security by Server/Function panel.
  2. On the Work with Security by Server/Function panel, enter UA next to the function you want to work with.
  1. When the Work with User Authorities panel display, you can specify the switch profile for the function.

For *FTPSERVER SENDFILE functions run by the specified user, Exit Point Manager will switch the request to run under the POWERUSER user profile.

NOTE: When you specify a switch profile, all subsequent actions performed in that FTP session are performed using the switch profile until the user performs another FTP function. Then, Exit Point Manager switches back and performs the next function as the original user.

For example:

  • User Bill makes a request to PUT (perform a SENDFILE) a file to the IBM i. Since a rule exists to switch profiles whenever a SENDFILE function is performed, the FTP PUT is switched to run under the user profile POWERUSER.
  • All subsequent commands run during Bill's FTP session run under the profile POWERUSER, not Bill.
  • As soon Bill performs another FTP function (such as CHGCURLIB or GET), Exit Point Manager changes the job to run as Bill.

Creating a Switch Profile

You probably have user profiles on your system that you can use as a switch profile. However, if you decide to create new user profiles to be used as Exit Point Manager Switch Profiles, use the following guidelines.

NOTE: The switch profile function is not allowed on the file server. If the file server exit program swaps to another user and does not swap back to the original user, the file server session continues to operate with the user that originally connected to the session. This is because the host file server and IBM i NetServer get credential information for the user who did the initial connection to the session and uses this credential information when doing client requests. With the host file server and IBM i NetServer using the credential information, any swapping of the user profile in the file server exit program is not used by the file server for file system operations.
  1. Create a switch user profile using the following command:

    CRTUSRPRF USRPRF(profile-name) PASSWORD(*NONE) LMTCPB(*YES) SPCAUT(*NONE)

  2. Restrict the switch profile from sensitive libraries by assigning *EXCLUDE authority for the library to be restricted:

    GRTOBJAUT OBJ(library-name) OBJTYPE(*LIB) USER(profile-name) AUT(*EXCLUDE)

    If you want to allow access to some files in a library, but not others, the switch profile must have at least *USE authority to the library, or the library must have the *PUBLIC authority set to AUT(*USE). If you want read-only access to a file, the switch profile must have at least *USE authority to the file or the file must have the authority set to AUT(*USE). If the switch profile will perform record update operations, the profile must have at least *CHANGE rights, or the file must have the *PUBLIC authority set to AUT(*CHANGE).

    If you want to restrict any files, they must have *PUBLIC authority set to AUT(*EXCLUDE) or you must assign *EXCLUDE authority for the switch profile with the following command:

    GRTOBJAUT OBJ(library/file) OBJTVPE(*FILE) USER(profile-name) AUT(*EXCLUDE)

    NOTE:
    • If you don't want to set new user authorities, you can use Exit Point Manager memorized transactions to control network requests for file access.
    • To create a switch profile to increase user authorities, you should grant the special authorities needed, and set LMTCPB(*NO) if, for example, you want the user to be able to run commands through network interfaces like FTP's RMTCMD.

    To restrict the use of RMTCMD, create a Exit Point Manager authority rule that rejects the FTP RMTCMD function.

 

Related Topics