Switch Profiles

Exit Point Manager's Switch Profiles function allows you to customize Exit Point Manager authorizations for network access requests.

For example, you might use switch profiles in the following situation:

User POWERUSER initiates an incoming FTP request. The POWERUSER profile normally has IBM i authority to change or delete almost any file on the system, and to run most commands using the FTP RMTCMD facility. Because you want to limit the ability of POWERUSER to run FTP requests, you tell Exit Point Manager to switch to another user ID, called READONLY, whenever POWERUSER runs FTP. The READONLY user ID has *USE authority to IBM i files, allowing read-only access to the files, preventing POWERUSER from making any file modifications.

  1. Switch profiles are specified when adding or editing rules. From the Rules screen, choose Add or click an existing rule.
  2. Choose the Lookup button next to the Authority field.
  3. Select *SWITCH, the select the user profile you would like to switch to.
  4. Configure the server, function, location/user, and flags as you would normally and click Save.

If you want to switch to a different user profile only for a particular server function, such as SENDFILE (PUT), you can specify the switch profile for just that function.

  1. Switch profiles are specified when adding or editing rules. From the Rules screen, choose Add, or click an exisitng user rule.
  2. Choose the Lookup button next to the Server > Function field and choose *FTPSERVER > SENDFILE.
  3. For Authority, select *SWITCH, and then the select the user profile you would like to switch to (in this case, READONLY).
  4. Choose Save.

Note: When you specify a switch profile, all subsequent actions performed in that FTP session are performed using the switch profile until the user performs another FTP function. Then, Exit Point Manager switches back and performs the next function as the original user.

For example:

  • User Bill makes a request to PUT (perform a SENDFILE) a file to the IBM i. Since a rule exists to switch profiles whenever a SENDFILE function is performed, the FTP PUT is switched to run under the user profile POWERUSER.
  • All subsequent commands run during Bill's FTP session run under the profile POWERUSER, not Bill.
  • As soon Bill performs another FTP function (such as CHGCURLIB or GET), Exit Point Manager changes the job to run as Bill.

 

Related Topics