User Exit Program for the GETMFA, ENROLL commands

MFA enables the programmatically select which users should be requested to pass the self-enrolments. It can also decide if MFA is required or not. This is done by use of an exit program that can modify the parameters of the GETMFA command. The GETMFA command stands behind the signon.

The GETMFA has 2 parameters: GETMFA (), which tells if MFA is required or not, and the ENROLL (), which is used to activate self-enrollment if enrollment data was not yet entered for the user who signs on.

The program can change the default of *IFNOATR. If there is no enrollment information, the user will be requested to enroll.

The program already retrieves the main user profile parameters, such as Special Authorities.

To implement, see an example CL program in MZO/ODSOURCE MFADJUST. Copy it to your own library. Modify it as desired. Compile it to library SMZODTA.

Use Case Examples

If your organization decided not to use MFA users who have Limited Capabilities, enter the following line in the exit program:

If         (&LmtCpb=*YES) Do

ChgVar     &MFA     *NO           /* Do not rqst MFA         */

ChgVar     &ENROLL  *NO           /* Do not enroll           */

EndDo

If your organization decided to use MFA only for users who have *ALLOBJ special authority, enter the following line in the exit program:

If         (&AllObj *NE Y) Do

ChgVar     &MFA     *NO           /* Do not rqst MFA         */

ChgVar     &ENROLL  *NO           /* Do not enroll           */

EndDo