× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. August 2001

Securing interactive work during backups (was: QINACTITV does notappear to be working)

>Sounds like Evan's method would allow
>me to sign on even if QINTER is ended.

Note: Evan's method is to create a duplicate interactive subsystem and limit
access via workstation name entries.  The question was brought up about
TCP/IP QPADEVxxxx random names and how to restrict in that situation.

Hypothesis: Restrict access to the duplicate subsystem's job queue.  Bring
up the duplicate subsystem and bring down QINTER during backups.
"Emergency" personnel will be able to sign on but ordinary users will not.

Synopsis: Restricting access to the job queue will not restrict a user to
the attached subsystem.  You need to restrict access to the SBSD.

Detail:
 ===> CRTDUPOBJ OBJ(QINTER) FROMLIB(QSYS) OBJTYPE(*SBSD)
TOLIB(BUCK) NEWOBJ(BUCK)

 ===> CRTJOBQ JOBQ(BUCK/BUCK) TEXT('Test for alternate interactive sbs')
 ===> RMVJOBQE SBSD(BUCK) JOBQ(qinter)
 ===> RMVJOBQE SBSD(BUCK) JOBQ(qs36mrt)
... remove any others.  Use DSPSBSD option 6 to see
 ===> ADDJOBQE SBSD(BUCK) JOBQ(BUCK) MAXACT(*NOMAX)
... DSPSBSD and check 7-10.  Remove unnecessary entries
 ===> CRTUSRPRF USRPRF(restricted)
 ===> CRTUSRPRF USRPRF(allowed)
 ===> grtobjaut buck *sbsd *public *exclude
 ===> grtobjaut buck *sbsd allowed *use
...be aware of *GROUP authority you may want to discard.

With QINTER up:
As "allowed"
 ===> tfrjob buck/buck
 ===> wrkactjob sbs(buck)
Opt  Subsystem/Job  User
     BUCK           QSYS
       QPADEV000A   ALLOWED

As "restricted"
 ===> tfrjob buck/buck
 RESTRICTED not authorized to subsystem BUCK

As "buck"
 ===> endsbs qinter

With QINTER down and BUCK up:
signoff
see sign-on screen for sbs(buck)
sign on as buck OK

signoff
see sign-on screen for sbs(buck)
sign on as restricted - CPF1109 - not authorized to subsystem.

It looks like I need to read up on how singing-on routes through the system.
I find it odd that RESTRICTED can sign on when denied access to the job
queue.  Undoubtedly a misunderstanding of work management on my part.

Buck

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.