× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2015

Re: possible to never disable specific user?

On 21-Jan-2015 11:05 -0600, rob@xxxxxxxxx wrote:
On 21-Jan-2015 09:37 -0600, Hoteltravelfundotcom wrote:
We have disabling of any user if failed password 3x,

IOW, presumably, the System Value QMAXSIGN=3

Can this be changed for specific user to never be disabled?

A direct means would likely be implemented with a Maximum Signon Attempts Allowed attribute of the User Profile (USRPRF) object and thus with a MAXSIGN() parameter of the Create User Profile (CRTUSRPRF) and Change User Profile (CHGUSRPRF) commands. Otherwise [and likely this remains the case] the approach would need to be indirect; reactive to the condition of being disabled rather than preventive of the condition in a customizable fashion [specific to each user].

I strongly suggest you do a CRTMSGQ QSYSMSG if you do not have this
message queue already. This will route a copy of certain system
critical messages to this message queue. <<SNIP>>

And for doc references in that regard; which should also emphasize that although creation is the first step, the monitoring is the key:

IBM i 7.1->Security->Security reference->Security system values->General security system values->:

<http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzarl/rzarlaction.htm>
_Action When Sign-On Attempts Reached_ (QMAXSGNACN)
"...
If you create the QSYSMSG message queue in QSYS, the message sent (CPF1397) contains the user and device name. Therefore, it is possible to control the disabling of the device based on the device being used.
..."

That implies the ability exists also to control selectively the [re]enabling of a user profile in that scenario; though not preventing the initial disablement so a profile would remain disabled for a window of time awaiting change. However using the msg CPF1393 vs msg CPF1397; see the following additional doc reference:

<http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzarl/rzarlmaxsgn.htm>
_Maximum Sign-On Attempts_ (QMAXSIGN)
"...
When the maximum number of sign-on or password verification attempts is reached, the QMAXSGNACN system value is used to determine the action to be taken. A CPF1393 message is sent to the QSYSOPR message queue (and QSYSMSG message queue if it exists in library QSYS) to notify the security officer of a possible intrusion.

If you create the QSYSMSG message queue in the QSYS library, messages about critical system events are sent to that message queue as well as to QSYSOPR. The QSYSMSG message queue can be monitored separately by a program or a system operator. This provides additional protection of your system resources. Critical system messages in QSYSOPR are sometimes missed because of the volume of messages sent to that message queue.
..."


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.