Setting Firewall Rules for Users and Groups

To filter incoming activity by users and groups, select 1. Users and Groups from the Work with Users screen (STRFW  > 3 > 1).

The Work with User Security screen appears.

​                           ​ Work with User Security​                                                                                  ​ Subset . . . .​           ​ ​  Type options, press Enter.​             ​ (Read top->down)​   ​                    ​   ​ 1=Select  3=Copy  4=Delete  5=Members  6=Groups  7=Where used  8=DSPFWLOG​      ​ Note: Non-existing users​ ------------------- Network Servers ---------------  ​  ​ are marked in red. Users​ F   F F F R   R S   D   O R F     O C     C C N N M T​  ​ and %groups with special​ I   T T T E R M Q   B   B M I     R S     S S P P S C​  ​ settings are in blue.   ​ L S P P P X E T L   O   J T L D V L L   D C C R R G P​  ​ (See the documentation) ​ T S L S C L X S E S P N I S S T P I I D R N L E S S S​      ​ User,GrpPrf,​        ​ F H O R L O E Q N Q E D N R R A R C C D D V N N R R G​  ​ Opt​ %group​     ​ Members​ ​ R D G V N G C L T L N B F V V Q T M M M A M M T V V N​  ​ ​  ​ ​ *PUBLIC   ​ ​        ​ ​     + + +         +   + + + +       + + +         + +​   ​  ​ ​ %AAII     ​ ​        ​ ​ + + + + + + + + +   + + + + + + + + + + + + + + + + +​   ​  ​ ​ %ACC      ​ ​     2  ​ ​ + + + + + + + + +   + + + + + + + + + + + + + + + + +​   ​  ​ ​ %ALEX123  ​ ​     2  ​ ​ + + + + + + + + + + + + + + + + + + + + + + + + + + +​   ​  ​ ​ %AOO      ​ ​     2  ​ ​ + + + + + + + + + +   + + + + + + + + + + + + + + + +​   ​  ​ ​ %ATT      ​ ​     2  ​ ​ + + + + + + + + + + + + + + + + + + + + + + + + + + +​   ​  ​ ​ %BEFSCL12L​ ​     1  ​ ​ + + + + + + + + + + + + + + + + + + + + + + + + + + +​   ​  ​ ​ %CSXX     ​ ​     2  ​ ​ + + + + + + + + + + + + + + + + + + + + + + + + + + +​   ​  ​ ​ %DEVELOP1 ​ ​     3  ​ ​ +     + + +                                          ​   ​  ​ ​ %EVG      ​ ​     4  ​ ​ + + + + + + + + + + + + + + + + + + + + + + + + + + +​                                                                    ​      More...​  ​ F3=Exit    F6=Add user   F7=Add group          F8=Print list                  ​  ​                                                                                 ​

Firewall supports both IBM i group profiles and its own Firewall User Groups.

The User GrpPrf %group column lists users and groups (including both the IBM i GrpPrf and Firewall's own %group). The Members column shows the number of users included in the group.

NOTE: A Firewall user can also serve as a group. If the Members column for the user is set to *GRPPRF, other users can be added to a group of the same name via the standard CHGUSRPRF screen or command, and inherit the rules and attributes of that user.

The rest of the columns show whether the rules set for users or groups can override the global rules for particular servers. The server names, shown vertically at the top of the column, are:

• FILTFR: Original File Transfer Function
• SSHD: SSH,SFTP,SCP- Secured CMD Entry,FTP,COPY
• FTPLOG: FTP logging
• FTPSRV: FTP Server-Incoming Request Validation
• FTPCLN: FTP Client-Outgoing Request Validation
• REXLOG: Remote execution log
• REXEC: REXEC Server Request Validation
• RMTSQL: REXEC Server Request Validation
• SQLENT: Database Server - entry
• SQL: Database Server - SQL access & Show
• DBOPEN: Open Database
• NDB: Database Server - Database access
• OBJINF: Database Server - object information
• RMTSRV: Remote Command/Program Call
• FILSRV: File Server
• DTAQ: Data Queue Server
• VPRT: Original Virtual Print Server
• ORLICM:
• CSCICM:
• DDM: DDM request access
• DRDA: DDM request access
• CSCNVM: Central Server - conversion map
• CSCLNN: Central Server - client mgmt
• NPRENT: Central Server - client mgmt
• NPRSRL: Network Print Server - spool file
• MSGSRV: Original Message Server
• TCPSGN: Original Message Server

The server status values are:

• + : The user may use this server. This does not override global server security rules.
• V : For servers that support specific verbs (as shown in Setting Server Verbs to Skip), the user may use those verbs on this server.
• S : The user can access the server, skipping the check for object authorizations. This is normally used for batch applications that play the role of servers. It increases performance and simplifies tests for some users.
• Blank : User may not use this server.

To add a user, press the F6 key. The Add User Security screen, shown in Adding Firewall Settings for a User, appears.

To add a group, press the F7 key. The Add User Group Security screen, shown in Adding Firewall Settings for a Group, appears.

To print the list of users and groups and their network server settings, press the F8 key.

To modify the settings for a user or group, enter 1 in the Opt column for that user or group.

To copy the settings from one user or group to another, enter 3 in the Opt column for that user or group. The Copy Definition screen appears, as shown in Copying Firewall Settings for a User or Group

To delete the settings for a user or group, enter 4 in the Opt column for that user or group. The Delete User Security screen appears, as shown in Deleting Firewall Settings for a User or Group.

To add, remove, or change the members of a group, enter 5 in the Opt column for that group. The Modify Group of Users screen appears, as shown in Changing the Members of a Firewall Group

To list the groups that include a user, enter 6 in the Opt column for that user. The List of User Groups with User window appears, as shown in Displaying a List of Groups that Include a User.

To list the definitions involving this user or group, enter 7 in the Opt column for that user or group. The Display Spooled File window appears, showing that information.

To list Firewall events involving that user or group, enter 8 in the Opt column for that user or group. The Display Firewall Log (DSPFWLOG) screen appears, as shown in Displaying Firewall Logs.