Modifying Firewall Settings for a User

To modify Firewall settings for a user, enter 1 in the Opt column for the user on the Work with User Security screen, shown in Setting Firewall Rules for Users and Groups (STRFW > 3 > 1).

The Modify User Security screen appears.

​                             ​ Modify User Security​                                                                                                                ​ User/GrpPrf . . . . . . . . . . .​ ​ EXAM      ​                                                                                                                    ​ Authorities              ​                                                       ​ >​ 1. Services               ​                  ​ FTP, SQL, NDB, DDM ... ​          ​  ​ 2. IP                     ​                                                    ​  ​ 3. IPv6                   ​                                                    ​  ​ 4. Device names           ​                  ​ for SIGNON only​                  ​  ​ 5. Services/Locations by %Groups   ​         ​ %FINANCE, %#EXCEL, %@NEWYORK ... ​  ​ 6. Chg/Swap users for obj authority​         ​ Assign alt. users by services​    ​ Selection ===>​                    ​  ​                                                                                                                             ​ Add %Group/GrpPrf & SupPrf Auth .​ ​  ​          ​ Y=Yes, N=No, blank=Default​ (​ Y​ ) ​ User allowed to work during . . .​ ​           ​ ​ Time group, *NEVER=Allow by grp​  ​ Ensure user work from a single IP​ ​ N​          ​ Y=Yes, I=Interactive only, N=No​  ​ Special treatment for this user .​ ​  ​          ​ F=FYI, S=Skip: Allow, no log​                                                                                      ​ Check (in FW) Native obj auth . .​ ​ 3​          ​ 1=Allow all, 2=Reject all, 3=Yes ​ Check (in FW) IFS auth  . . . . .​ ​ 3​          ​ 1=Allow all, 2=Reject all, 3=Yes ​ F3=Exit​        ​ F4=Prompt​                                      ​ F8=Print​        ​ F9=Object security​                ​ F10=Logon security​          ​ F12=Cancel​      ​                                                                                                                                                                  ​

The read-only User/GrpPrf field shows the user name.

Through the options in the Authorities list, you can create specific filters for a user that can override the server's general settings. A close-arrow (">") before an item shows that its settings have already been changed from the default to a new value.

1. Services

To create filters based on services (such as FTP, SQL, NBD, or DDM), enter 1 in the Selection field. The Add User to Server Security screen appears, as shown in Adding Firewall Settings for a User based on Services.

2. IP

To create filters based on IP addresses, enter 2 in the Selection field. The Work with User IP Validation screen appears, as shown in Adding a Firewall Rule for Outgoing Activity by IP Address.

3. IPv6

To create filters based on IPv6 addresses, enter 3 in the Selection field. The Work with User IPv6 Validation screen appears, as shown in Adding a Firewall Rule for Outgoing Activity by IPv6 Address.

4. Device name

To create filters based on SNA system names, enter 4 in the Selection field. The Work with Sign-On Device Validation screen appears, as shown in Adding a Firewall Rule for Incoming Activity by Remote System Names.

5. Services/Locations by %Groups

You can create groups of users based on applications that they use, locations in which they work, or other criteria. To add members to these group or to remove them, enter 5 in the Selection field. The Define Allowed Groups screen appears, as shown in Adding a User to Firewall Groups.

6. Chg/Swap users for obj authority

To have the user assume the authority of a different user when using particular servers, enter 6 in the Selection field. The Work with Alternative Users screen appears, as shown in Adding Firewall Settings for a User to Assume Different Authority for a Server.

These options control more aspects of the user's authority:

Add %Group/GrpPrf & SupPrf Auth

To add authority settings from the group that include this user, type Y.

To prevent adding authority settings from the groups that include this user, type N,

To use the default settings, as defined in Setting Additional Definitions for Firewall, leave the field blank.

User allowed to work during

To limit the user to working within a specified range of hours of the day or days of the week, enter the name of a time group with those time settings (as shown in Defining Time Groups).

To use the default settings for the server, enter *NEVER.

Ensure single IP use

To limit the user to working from one IP address at a time, type Y. The user may have multiple sessions open at a time, but they must all be from the same IP address.

To limit the user's interactive sessions to one IP address at a time, type I. This does not affect the user's batch jobs.

To allow the user to work from multiple IP addresses simultaneously, type N.

Special treatment for this user

To handle all the user's activity in FYI mode (as shown in Running Firewall in FYI Simulation mode), type F.

To allow all activity by this user without any checks or logging, type S.

Check (in FW) Native auth

To allow the user to access all native objects, without checking native security rules for the object, type 1.

To reject all attempts by the user to access IFS objects, without checking native security rules for the object,, type 2.

To check all attempts by the user to access IFS objects against Firewall native security rules, type 3.

Check (in FW) IFS auth

To allow the user to access all IFS objects, without checking IFS security rules for the object, type 1.

To reject all attempts by the user to access IFS objects, without checking IFS security rules for the object,, type 2.

To check all attempts by the user to access IFS objects against Firewall IFS security rules, type 3.