Switch Profiles
Exit Point Manager's Switch Profiles function allows you to customize Exit Point Manager authorizations for network access requests.
For example, you might use switch profiles in the following situation:
User POWERUSER initiates an incoming FTP request. The POWERUSER profile normally has IBM i authority to change or delete almost any file on the system, and to run most commands using the FTP RMTCMD facility. Because you want to limit the ability of POWERUSER to run FTP requests, you tell Exit Point Manager to switch to another user ID, called READONLY, whenever POWERUSER runs FTP. The READONLY user ID has *USE authority to IBM i files, allowing read-only access to the files, preventing POWERUSER from making any file modifications.
- On the Exit Point Manager Main Menu, select option 1 to display the Work with Security by Server panel.
- On the Work with Security by Server panel, enter UA (Edit User Authority) to display the Work with Security by User panel. (You also can enter FN, Work with Functions, or LA, Edit Location Authority, to work with server functions or locations.)
- On the Work with Security by User panel, specify a Switch Profile to use for a User rule. To create a new user rule, complete the first blank line. The switch profile you enter must be an active profile residing on the system.
NOTE: The administrator specifying the switch profile must have at least *USE authority to the profile.
For *FTPSERVER *ALL functions run by user JDAVIS, Exit Point Manager will switch the request to run under the READONLY user profile
If you want to switch to a different user profile only for a particular server function, such as SENDFILE (PUT), you can specify the switch profile for just that function.
- On the Work with Security by Server panel, enter FN next to the server to display the Work with Security by Server/Function panel.
- On the Work with Security by Server/Function panel, enter UA next to the function you want to work with.
- When the Work with User Authorities panel display, you can specify the switch profile for the function.
For *FTPSERVER SENDFILE functions run by the specified user, Exit Point Manager will switch the request to run under the POWERUSER user profile.
For example:
- User Bill makes a request to PUT (perform a SENDFILE) a file to the IBM i. Since a rule exists to switch profiles whenever a SENDFILE function is performed, the FTP PUT is switched to run under the user profile POWERUSER.
- All subsequent commands run during Bill's FTP session run under the profile POWERUSER, not Bill.
- As soon Bill performs another FTP function (such as CHGCURLIB or GET), Exit Point Manager changes the job to run as Bill.
Creating a Switch Profile
You probably have user profiles on your system that you can use as a switch profile. However, if you decide to create new user profiles to be used as Exit Point Manager Switch Profiles, use the following guidelines.
- Create a switch user profile using the following command:
CRTUSRPRF USRPRF(profile-name) PASSWORD(*NONE) LMTCPB(*YES) SPCAUT(*NONE)
- Restrict the switch profile from sensitive libraries by assigning *EXCLUDE authority for the library to be restricted:
GRTOBJAUT OBJ(library-name) OBJTYPE(*LIB) USER(profile-name) AUT(*EXCLUDE)
If you want to allow access to some files in a library, but not others, the switch profile must have at least *USE authority to the library, or the library must have the *PUBLIC authority set to AUT(*USE). If you want read-only access to a file, the switch profile must have at least *USE authority to the file or the file must have the authority set to AUT(*USE). If the switch profile will perform record update operations, the profile must have at least *CHANGE rights, or the file must have the *PUBLIC authority set to AUT(*CHANGE).
If you want to restrict any files, they must have *PUBLIC authority set to AUT(*EXCLUDE) or you must assign *EXCLUDE authority for the switch profile with the following command:
GRTOBJAUT OBJ(library/file) OBJTVPE(*FILE) USER(profile-name) AUT(*EXCLUDE)
NOTE:- If you don't want to set new user authorities, you can use Exit Point Manager memorized transactions to control network requests for file access.
- To create a switch profile to increase user authorities, you should grant the special authorities needed, and set LMTCPB(*NO) if, for example, you want the user to be able to run commands through network interfaces like FTP's RMTCMD.
To restrict the use of RMTCMD, create a Exit Point Manager authority rule that rejects the FTP RMTCMD function.