|Partner TechTip: Don't Forget These User Profile Attributes|
|Tips & Techniques - Security|
|Written by Carol Woodbury|
|Thursday, 13 November 2008 19:00|
Do your users have "limited capability," or do you just think they do?
You don't hear as much about the user profile setting of "limited capabilities" as you used to in the early days of OS/400. In the early releases, configuring users' initial program to launch them directly into the appropriate application as well as setting users' initial menu to *SIGNOFF and their limited capability attribute to *YES was about all an administrator had to do to make sure the data residing on an AS/400 was secure.
Those days are long gone, but the importance of using these user profile attributes isn't. Sure, there are many ways in today's IBM i world for a user to gain access to data beyond a menu environment, and a good dose of object-level security is required to secure data. But that doesn't mean you shouldn't take advantage of the features these attributes provide.
Let's take a look.
The most popular task performed by a user's initial program is to launch the user into the appropriate application menu. However, I've seen initial programs perform many tasks: setting up a library list, adopting authority to set up the user's authority to use the application, and configuring various job attributes.
When a user signs on to the system, the initial program, if defined, runs first, and then the initial menu is presented. So if the initial program establishes the user's menu environment, what should the initial menu be used for? To tell the OS that when the initial program ends--i.e., the user exits the initial program--the user is to be immediately signed off. This feature prohibits users from "wandering" around the system. Rather, they're confined to the menus to which they've been assigned. Specify *SIGNOFF for the initial menu attribute to cause users to be signed off when exiting their initial program.
Even though the limited capability parameter is ignored by some of the TCP/IP servers (such as the remote command server), you should still use this parameter to limit the commands a user can enter from a command line.
Limited capability *YES means that users can only run commands that have been configured to be run by a limited-capability user. IBM i ships a handful of commands that a limited capability user can run: Sign Off (SIGNOFF), Send Message (SNDMSG), Display Message (DSPMSG), Display Job (DSPJOB), Display Job Log (DSPJOBLOG), Start PC Organizer (STRPCO), and Work with Messages (WRKMSG). Also, when users sign on to the system, they cannot change their initial program, initial menu, current library, or attention key program.
*PARTIAL means users can't change their initial program, current library, and attention key program but can change their initial menu and run commands. Quite honestly, I've never understood the benefits of setting a user to *PARTIAL. To me, it's as wide open as setting the value to *NO, which means the user can change all settings previously described as well as enter all commands. You should review users' limited-capability setting, setting as many users as possible to *YES to control who can enter commands from a command line as well as FTP's remote command function.
How Policy Minder Can Help
User Profile Policy Templates
As you define a user profile policy template, you can define how a user's initial program, initial menu, and limited-capability attributes are to be configured. When you run a compliance check against the user profile template, Policy Minder will identify any profile whose attributes don't match your policy and also identify which attributes cause them to be non-compliant. You can choose to manually change the user profiles by using the Change User Profile (CHGUSRPRF) command, or you can enable and run the Policy Minder FixIt function to have Policy Minder make the attribute changes. All changes made through Policy Minder are logged in the Message log along with the attribute's previous value.
Commands for Limited Users
I recommend that you run the Policy Minder initialize function (option 60 from the main menu) on the Commands for Limited Users category. Initialization will gather the commands that are currently configured to be run by a user whose limited-capability setting is *YES. Review this list; you may be surprised to discover that vendors or developers have changed commands to allow limited-capability users to run them. Once you are confident that this list reflects your policy requirements, run a compliance check on this category at least monthly to ensure that all commands stay compliant with your command policy.