Setting Firewall Rules for Application Groups

Users who run particular applications often need to access a related group of servers. You can create an Application Group for those users, indicating which servers they may use without further checking. The name of an Application Group consists of a percent sign ("%"), a number sign ("#"), and the name of the application. For example, the group of users who run OPNAV would be %#OPNAV.

Users in Application Groups inherit the group's services and its authorities.

You can define and modify Application Groups from the Work with Application Groups screen. To reach the screen, select 5. Application Groups from the Work with Users screen(STRFW > 3).

The Work with Application Groups screen appears.

                         ​ Work with Application Groups​                          
                                                     ​ Subset . . . .​            
Type options, press Enter.​              ​ (Read top->down)​                       
 ​ 1=Select  3=Copy  4=Delete  5=Members​           ​ 7=Where used​  8=DSPFWLOG​     
                         ​ ------------------- Network Servers ---------------  ​ 
Note: Groups with special​ F   F F F R   R S   D   O R F     O C     C C N N M T​ 
settings are marked in   ​ I   T T T E R M Q   B   B M I     R S     S S P P S C​ 
blue.                    ​ L S P P P X E T L   O   J T L D V L L   D C C R R G P​ 
(see the documentation)  ​ T S L S C L X S E S P N I S S T P I I D R N L E S S S​ 
                         ​ F H O R L O E Q N Q E D N R R A R C C D D V N N R R G​ 
 Opt​  Appl.Group​ Members​  R D G V N G C L T L N B F V V Q T M M M A M M T V V N​ 
     ​ %#AAAA    ​        ​  + + + + + + + + + + + + + + + + + + + + + + + + + + +​ 
 ​    ​ %#ACCOUNT ​     3  ​  + + + + + + + + + + + + + + + + + + + + + + + + + + +​ 
 ​    ​ %#GUI     ​     2  ​  + + + + + + + + +   V + + + + + + + + + + + + + + + +​ 
 ​    ​ %#PGM     ​        ​  + + + + + + + + + + + + + + + + + + + + + + + + + + +​ 
 ​    ​ %#SALES   ​        ​  + + + + + + + + + + + + + + + + + + + + + + + + + + +​ 
 ​    ​ %#TEST2   ​        ​  + + + + + + + + + + + + + + + + + + + + + + + + + + +​ 
 ​    ​ %#TEST3   ​        ​  + + + + + + + + + + + + + + + + + + + + + + + + + + +​ 
                                                                                
                                                                                
                                                                                
                                                                  ​       Bottom​ 
                                                                                
                                                                                

The Appl. Group column lists Application Groups known to Firewall. The Members column shows the number of users included in the group.

The rest of the columns show whether the rules set for users or groups can override the global rules for particular servers. The server names, shown vertically at the top of the column, are:

  • FILTFR: Original File Transfer Function
  • SSHD: SSH,SFTP,SCP- Secured CMD Entry,FTP,COPY
  • FTPLOG: FTP logging
  • FTPSRV: FTP Server-Incoming Request Validation
  • FTPCLN: FTP Client-Outgoing Request Validation
  • REXLOG: Remote execution log
  • REXEC: REXEC Server Request Validation
  • RMTSQL: REXEC Server Request Validation
  • SQLENT: Database Server - entry
  • SQL: Database Server - SQL access & Show
  • DBOPEN: Open Database
  • NDB: Database Server - Database access
  • OBJINF: Database Server - object information
  • RMTSRV: Remote Command/Program Call
  • FILSRV: File Server
  • DTAQ: Data Queue Server
  • VPRT: Original Virtual Print Server
  • ORLICM:
  • CSCICM:
  • DDM: DDM request access
  • DRDA: DDM request access
  • CSCNVM: Central Server - conversion map
  • CSCLNN: Central Server - client mgmt
  • NPRENT: Central Server - client mgmt
  • NPRSRL: Network Print Server - spool file
  • MSGSRV: Original Message Server
  • TCPSGN: Original Message Server

The server status values are:

  • + : The user may use this server. This does not override global server security rules.
  • V : For servers that support specific verbs (as shown in Setting Server Verbs to Skip), the user may use those verbs on this server.
  • S : The user can access the server, skipping the check for object authorizations. This is normally used for batch applications that play the role of servers. It increases performance and simplifies tests for some users.
  • Blank : User may not use this server.

To add a group, press the F6 key. The Add Application Group Security screen appears, as shown in Adding Firewall Settings for an Application Group.

To print the list of groups and their network server settings, press the F8 key.

To modify the settings for a group, enter 1 in the Opt column for that group. The Modify Application Group Security screen appears, as shown in Modifying Firewall Settings for an Application Group.

To copy the settings from one group to another, enter 3 in the Opt column for that group. The Copy Definition screen appears, as shown in Copying Firewall Settings for a User or Group

To delete the settings for a user or group, enter 4 in the Opt column for that user or group. The Delete User Security screen appears, as shown in Deleting Firewall Settings for a User or Group

To add, remove, or change the members of a group, enter 5 in the Opt column for that group. The Modify Group of Users screen appears, as shown in Changing the Members of a Firewall Group