|
Buck Slight correction - my method is to actually secure it using the routing entry - though feel free to propogate the "Evan's method" bit :) Basically I set the routing entries up so if people have the correct routing entry they get a command line and if they havent they get SIGNOFF. I dismissed workstation control because at the time I could not easily control QPADEV* device names, although I have since got around this via a telnet exit program and some IP/device name controls but that is (maybe ?) another issue. I also dismissed the workstation entry control because I could not predict when I might need to sign on at any particular device, telnet and IP have changed the security rules just a bit.... using a routing entry gave me protection at a more logical level. Cheers Evan > >Sounds like Evan's method would allow > >me to sign on even if QINTER is ended. > >Note: Evan's method is to create a duplicate interactive subsystem and limit >access via workstation name entries. The question was brought up about >TCP/IP QPADEVxxxx random names and how to restrict in that situation. > >Hypothesis: Restrict access to the duplicate subsystem's job queue. Bring >up the duplicate subsystem and bring down QINTER during backups. >"Emergency" personnel will be able to sign on but ordinary users will not. > >Synopsis: Restricting access to the job queue will not restrict a user to >the attached subsystem. You need to restrict access to the SBSD. > >Detail: > ===> CRTDUPOBJ OBJ(QINTER) FROMLIB(QSYS) OBJTYPE(*SBSD) >TOLIB(BUCK) NEWOBJ(BUCK) > > ===> CRTJOBQ JOBQ(BUCK/BUCK) TEXT('Test for alternate interactive sbs') > ===> RMVJOBQE SBSD(BUCK) JOBQ(qinter) > ===> RMVJOBQE SBSD(BUCK) JOBQ(qs36mrt) >... remove any others. Use DSPSBSD option 6 to see > ===> ADDJOBQE SBSD(BUCK) JOBQ(BUCK) MAXACT(*NOMAX) >... DSPSBSD and check 7-10. Remove unnecessary entries > ===> CRTUSRPRF USRPRF(restricted) > ===> CRTUSRPRF USRPRF(allowed) > ===> grtobjaut buck *sbsd *public *exclude > ===> grtobjaut buck *sbsd allowed *use >...be aware of *GROUP authority you may want to discard. > >With QINTER up: >As "allowed" > ===> tfrjob buck/buck > ===> wrkactjob sbs(buck) >Opt Subsystem/Job User > BUCK QSYS > QPADEV000A ALLOWED > >As "restricted" > ===> tfrjob buck/buck > RESTRICTED not authorized to subsystem BUCK > >As "buck" > ===> endsbs qinter > >With QINTER down and BUCK up: >signoff >see sign-on screen for sbs(buck) >sign on as buck OK > >signoff >see sign-on screen for sbs(buck) >sign on as restricted - CPF1109 - not authorized to subsystem. > >It looks like I need to read up on how singing-on routes through the system. >I find it odd that RESTRICTED can sign on when denied access to the job >queue. Undoubtedly a misunderstanding of work management on my part. > >Buck
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.