Setting Firewall Rules Manually based on Users and Groups with the Rule Wizard
NOTE: You can only set Firewall rules manually with the rule wizard if you have set the Wizard type to *STD when opening the wizard.
To set rules manually based on the users or groups requesting the activity in the Rule Wizard, open the Plan User Security screen, as shown in Analyzing Recent Data on Users and Groups with the Rule Wizard (STRAUD > 2 > 42).
| Plan User Security Type choices, press Enter. Subset . . Exists 2=Set by use 4=Dlt 5=DSPFWLOG 6=Crt rule 7=Stats G=Groups U=Users E=CHGUSRPRF Specific rule exists F F F F R R S D O R F O C C C N N M T No specific rule I T T T E R M Q B B M I R S S S P P S C Current: Y, V=By verb L P P P X E T L O J T L D V L L D C C R R G P Revised: Y, N T L S C L X S E S P N I S S T P I I D R N L E S S S User Grp/ Exi- F O R L O E Q N Q E D N R R A R C C D D V N N P R G Opt User sts R G V N G C L T L N B F V V Q T M M M A M M T L V N %ADM Current Y Y Y Y Y Y Y Y V Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Done Y Y Y Y Y Revised %GROUP1 Current Y Y Y Y Y Y Y Y Y Y Y Y Y V Y Y Y Y Y Y Y Y Y Y Y Y Done Y Y Revised DB Y Current Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Done Y Y Y Revised QLWISVR Y Current Done Y Revised More... F3=Exit F6=Add New F8=Print F12=Cancel F17=Set by use globally |
Much of the screen is made up of groups of three lines.
The User Group/User field on the first line shows the user or group to whom the rules apply. If the name is on a green background, a rule set applies directly to that user. If the name is on a pink background, the user or group is included in rules for a generic group.
The Exists field is set to Y if the user profile exists in the system. An additional Exists field appears next to the Subset field at the top of the screen to enable filtering on this value.
The rest of each of the lines shows the rules for a set of servers for one user or group.
Each server is shown in a separate column with the name spelled vertically at the top of the column:
- FILTFR: Original File Transfer Function
- FTPLOG: FTP Server Logon
- FTPSRV: FTP Server-Incoming Request Validation
- FTPCLN: FTP Client-Outgoing Request Validation
- REXLOG: REXEC Server Logon
- REXEC: REXEC Server Request Validation
- RMTSQL: Original Remote SQL Server
- SQLENT: Database Server - entry
- SQL: Database Server - SQL access & Showcase
- DBOPEN: Open Database
- NDB: Database Server - data base access
- OBJINF: Database Server - object information
- RMTSRV: Remote Command/Program Call
- FILSRV: File Server
- DTAQ: Data Queue Server
- VPRT: Original Virtual Print Server
- ORLICM: Original License Management Server
- CSLICM: Central Server - license management
- DDM: DDM request access
- DRDA: DRDA Distributed Relational DB access
- CSCNVM: Central Server - conversion map
- CSCLNM: Central Server - client management
- NPRENT: Network Print Server - entry
- NPRSPL: Network Print Server - spool file
- MSGSRV: Original Message Server
- TCPSGN: TCP Signon Server
Each of the three lines shows the state of rules for the relevant user or group.
- Current shows the rules for each server as they now stand. Possible values include:
- Y: Access requests are accepted
- N: Access requests are rejected
- V: Access requests depend on the server verb used
- Blank: No rule is set. The user or group inherits the rule for the next higher group, up through *ALL
- Done shows the results of the actual activity found for that user or group and server in the data set
- Revised shows the changes that you are making to the rules
To make changes manually, set the values in the columns for the servers for which you want to change in the Revised row for the user. You can set these to Y to accept access requests or N to reject them.
NOTE: While the Current line may show a V for servers for which access is determined by the verbs used, the setting can only be changed to that via the Modify Server Verb Authority screen, as shown in Modifying Firewall Settings for a User based on Server Verbs.
When you have set all the needed values, type 6 in the Opt field next to the name of the user or group for which you are changing the values.
The Update Existing Rule screen appears:
| Update Existing Rule User . . . . . . . . %GROUP1 F F F F R R S D O R F O C C C N N M T I T T T E R M Q B B M I R S S S P P S C L P P P X E T L O J T L D V L L D C C R R G P T L S C L X S E S P N I S S T P I I D R N L E S S S F O R L O E Q N Q E D N R R A R C C D D V N N P R G R G V N G C L T L N B F V V Q T M M M A M M T L V N Current . . . . . . . Y Y Y Y Y Y Y Y Y Y Y Y Y V Y Y Y Y Y Y Y Y Y Y Y Done . . . . . . . . Y Y Y Y Y Y Y Y Y Y Y New authority . . . . N Write this rule . . . Y Y=Yes, N=No Same answer to all . Y=Yes, N=No F12=Cancel |
In this case, the rule being created for the group %GROUP1 would reject access requests to the TCPSGN (TCP Sign-in) server. The other setting would be cleared, and would inherit the value from the next higher group, up to *ALL.
To create this rule manually, type Y in the Write this rule field.
To accept the rule each time that you create it manually within this session, type Y in the Same answer to all field.