Kisco Systems

Kisco U

IBM i network attribute settings

Home : Kisco U : IBM i network attribute settings

Consider the classic situation of a payroll clerk running a payroll application from a terminal session. Using secure menu design, you can implement a system that restricts this user's access to the payroll files. However, the IBM i security for these files will probably be *USE or *CHANGE to allow this user to process updates. If this user were to experiment with the iSeries Access utilities for download, that level of permission would allow them to download the entire payroll file.

There are some simple network attribute settings that you can use to implement additional controls. Use Display Network Attributes (DSPNETA) Change Network Attributes (CHGNETA) to modify these settings:

Job action (JOBACN)
This controls how the system will process remote requests to run jobs. It has three settings which are *REJECT, *FILE and *SEARCH. The default is *FILE. If you are concerned about this, just change the default setting to *REJECT and you're safe. When it is set to *FILE, the incoming request is queued to a network file for the designated user and the job must then be reviewed and started by the user. *SEARCH sets up a search of the network job table.

Client request access (PCSACC)
The PCSACC parameter controls how a PC will have access to objects on your system. This has no bearing at all on the use of the workstation emulator, it is just for object access for the various iSeries Access functions like download, etc.

The possible values for PCSACC are:

  • *REJECT - all object requests are rejected regardless of what they are.
  • *OBJAUT - OS/400 object authority is checked and supported (the default setting).
  • *REJFAC - the system checks for a registered exit program and passes authentication to the exit program for processing.
  • program name - the registered program name is called to verify authentication.

Just change this setting to *REJECT if you want to block object access, but that's an unlikely scenario. On the surface, *OBJAUT sounds like a good choice, however, this means that any user profile that is authorized to process and/or update files from an interactive application could also have full access from the iSeries Access side. Using a program name or a registered exit point is the best method.

Network attributes are editable in Nav. Use Network > Network Attributes:

DDM request access (DDMACC)
The DDM Request Access setting decides how to handle security from remote systems requesting data using the Distributed Data Management functions. These can be from PCs or from other DDM compatible platforms such as other IBM i systems or even mainframes.

The possible values for the DDMACC are similar to those for PCSACC with the exception that *REJFAC is not offered. The same advice for this applies as for PCSACC. The program name option provides the only exit point available to control DDM access.

Our exit point firewall, SafeNet/i supports the exit points discussed above.