× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. August 2001

Re: Securing interactive work during backups (was: QINACTITV does not appear to be working)

Buck

Slight correction - my method is to actually secure it using the routing
entry - though feel free to propogate the "Evan's method" bit :)

Basically I set the routing entries up so if people have the correct
routing entry they get a command line and if they havent they get SIGNOFF.

I dismissed workstation control because at the time I could not easily
control QPADEV* device names, although I have since got around this via a
telnet exit program and some IP/device name controls but that is (maybe ?)
another issue.

I also dismissed the workstation entry control because I could not predict
when I might need to sign on at any particular device, telnet and IP have
changed the security rules just a bit.... using a routing entry gave me
protection at a more logical level.

Cheers
Evan

> >Sounds like Evan's method would allow
> >me to sign on even if QINTER is ended.
>
>Note: Evan's method is to create a duplicate interactive subsystem and limit
>access via workstation name entries.  The question was brought up about
>TCP/IP QPADEVxxxx random names and how to restrict in that situation.
>
>Hypothesis: Restrict access to the duplicate subsystem's job queue.  Bring
>up the duplicate subsystem and bring down QINTER during backups.
>"Emergency" personnel will be able to sign on but ordinary users will not.
>
>Synopsis: Restricting access to the job queue will not restrict a user to
>the attached subsystem.  You need to restrict access to the SBSD.
>
>Detail:
>  ===> CRTDUPOBJ OBJ(QINTER) FROMLIB(QSYS) OBJTYPE(*SBSD)
>TOLIB(BUCK) NEWOBJ(BUCK)
>
>  ===> CRTJOBQ JOBQ(BUCK/BUCK) TEXT('Test for alternate interactive sbs')
>  ===> RMVJOBQE SBSD(BUCK) JOBQ(qinter)
>  ===> RMVJOBQE SBSD(BUCK) JOBQ(qs36mrt)
>... remove any others.  Use DSPSBSD option 6 to see
>  ===> ADDJOBQE SBSD(BUCK) JOBQ(BUCK) MAXACT(*NOMAX)
>... DSPSBSD and check 7-10.  Remove unnecessary entries
>  ===> CRTUSRPRF USRPRF(restricted)
>  ===> CRTUSRPRF USRPRF(allowed)
>  ===> grtobjaut buck *sbsd *public *exclude
>  ===> grtobjaut buck *sbsd allowed *use
>...be aware of *GROUP authority you may want to discard.
>
>With QINTER up:
>As "allowed"
>  ===> tfrjob buck/buck
>  ===> wrkactjob sbs(buck)
>Opt  Subsystem/Job  User
>      BUCK           QSYS
>        QPADEV000A   ALLOWED
>
>As "restricted"
>  ===> tfrjob buck/buck
>  RESTRICTED not authorized to subsystem BUCK
>
>As "buck"
>  ===> endsbs qinter
>
>With QINTER down and BUCK up:
>signoff
>see sign-on screen for sbs(buck)
>sign on as buck OK
>
>signoff
>see sign-on screen for sbs(buck)
>sign on as restricted - CPF1109 - not authorized to subsystem.
>
>It looks like I need to read up on how singing-on routes through the system.
>I find it odd that RESTRICTED can sign on when denied access to the job
>queue.  Undoubtedly a misunderstanding of work management on my part.
>
>Buck

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.