Tweet
Hi guys,
What is the best way to limit access to DFU for basic endusers?
What is the best way to limit access to DFU for basic endusers?
-
-
Re: Limiting access to DFU
NEVER give it to an end user....did I say NEVER!All my answers were extracted from the "Big Dummy's Guide to the As400"
and I take no responsibility for any of them.
www.code400.com -
Re: Limiting access to DFU
take away all command line access, set the DFU commands to not allow limited users, set all users to limited capabilities, if there are any menu options in your software that allows access to DFU utilities remove them.
as Jamie said NEVER give them DFU abilityI'm not anti-social, I just don't like people -Tommy HoldenComment
-
Re: Limiting access to DFU
I don't think there should be such a thing as a user. They just make programmers' lives more difficult. But perhaps that's just my opinion.
Comment
-
Re: Limiting access to DFU
Here's something that was developed by Phil Hancox and later tweaked by Gamini Welikala.
I have renamed objects and libraries to obscure our local setup here ...
1. We use a local library called TECHLIB that is in the system part of the *LIBL.
2. Rename the shipped IBM UPDDTA command to DSPUDP (or any other vague or obscured sounding name, but note that it is referred to in the code below.) and place it in the TECHLIB library.
3. Create file DFUUAF (DFU User Authority File) in library TECHLIB.
This file lists user profiles and their permitted DFU authority. *ALL is valid for library, file and/or member fields. A user profile can have multiple entries.
4. Create file DFUTLF (DFU Transaction Log File) in library TECHLIB.Code:A R DFUUAFR A USER 10A A LIB 10A A FILE 10A A MBR 10A A K USER
This file is a log that has all DFU actions from this utility written to it for audit purposes.
5. Create file DFUALF (DFU Access Log File) in library TECHLIB.Code:A R DFUTLFR A USERID 10A TEXT('User Profile') A DATE 6A TEXT('Date') A DFUTXT 132A TEXT('Data field') A K DATE
This file lists all attempts by users to access the UPDDTA utility, and whether it was allowed or rejected. Again this is for audit purposes.
6. Create command UPDDTA in library TECHLIB (Calls program DFUAVP).Code:A R DFUALFR A DATE 6A A TIME 8A A USER 10A A CMD 10A A ALLOWD 1A A LIB 10A A FILE 10A A MBR 10A A K DATE
7. Create program DFUAVP in library TECHLIB (FU Authority Validation Program).Code:CMD PROMPT('Update Data with Temp Program') PARM KWD(FILE) TYPE(FILE) MIN(0) PROMPT('File + Name . . . . . . . . . .') FILE: QUAL TYPE(*NAME) LEN(10) QUAL TYPE(*NAME) LEN(10) DFT(*LIBL) + SPCVAL((*LIBL)) PROMPT('Library . . . . + . . . . . . .') PARM KWD(MBR) TYPE(*CHAR) LEN(10) DFT(*FIRST) + CHOICE('Name *FIRST') PROMPT('Member . . + . . . . . . . . . .')
This should be compiled with LOG(*NO) ALWRTVSRC(*NO).
This program validates the users access to DFU for the chosen lib/file/member against the authority file DFUUAV and either allows or rejects access.
8. Create program DFUWSL in library TECHLIB (DFU Write Session Log).Code:/* phil hancox August 2000 */ /* UPDATED JUNE 2002 IMPROVED SECURITY CHECKING AND FIXED BUG WHERE IT */ /* COULD NOT BE RUN FROM A MENU */ /****************************************************************************/ PGM PARM(&FILELIB &UMEMBER) /* ------ Declare VARIABLES ------------------------------------ */ DCL VAR(&CURRENTUSR) TYPE(*CHAR) LEN(10) DCL VAR(&FILElib) TYPE(*CHAR) LEN(20) DCL VAR(&UFILE) TYPE(*CHAR) LEN(10) DCL VAR(&ULIB) TYPE(*CHAR) LEN(10) DCL VAR(&UMEMBER) TYPE(*CHAR) LEN(10) DCL VAR(&MSG) TYPE(*CHAR) LEN(100) DCL VAR(&LOGCL) TYPE(*CHAR) LEN(10) DCL VAR(&LOGLVL) TYPE(*CHAR) LEN(1) DCL VAR(&DATE) TYPE(*CHAR) LEN(6) DCL VAR(&TIME) TYPE(*CHAR) LEN(8) DCL VAR(&CMD) TYPE(*CHAR) LEN(10) VALUE('UPDDTA') DCL VAR(&ALLOWD) TYPE(*CHAR) LEN(1) VALUE('N') DCL VAR(&OUTPUTQ) TYPE(*CHAR) LEN(10) /* ------ Declares for QSYCUSRS special authority API ---------- */ DCL VAR(&SPCAUT) TYPE(*CHAR) LEN(10) VALUE('*SECADM ') DCL VAR(&SECADM) TYPE(*CHAR) LEN(1) DCL VAR(&NUMENTRIES) TYPE(*CHAR) LEN(4) DCL VAR(&USER) TYPE(*CHAR) LEN(10) VALUE('*CURRENT') DCL VAR(&LEVEL) TYPE(*CHAR) LEN(4) DCL VAR(&ERRORCODE) TYPE(*CHAR) LEN(18) VALUE(X'00000000') DCL VAR(&ERROR) TYPE(*CHAR) LEN(30) DCLF FILE(TECHLIB/DFUUAF) MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(END)) /* HIDE THE COMMANDS TO PEOPLE CAN'T SEE WHAT IS HAPPENING */ RTVJOBA USER(&CURRENTUSR) LOGLVL(&LOGLVL) + LOGCLPGM(&LOGCL) OUTQ(&OUTPUTQ) CHGJOB OUTQ(UPDDTALOG) LOG(0) LOGCLPGM(*NO) /* IF NO FILE ENTERED THEN PROMPT UPDDTA */ IF COND(&FILELIB *EQ ' *LIBL') THEN(DO) ? UPDDTA GOTO CMDLBL(END) ENDDO /* Setup some variables etc */ RTVSYSVAL SYSVAL(QDATE) RTNVAR(&DATE) RTVSYSVAL SYSVAL(QTIME) RTNVAR(&TIME) CHGVAR VAR(&UFILE) VALUE(%SST(&FILElib 1 10)) CHGVAR VAR(&ULIB) VALUE(%SST(&FILElib 11 10)) CHGVAR VAR(&TIME) VALUE(%SST(&TIME 1 2) *TCAT ':' + *TCAT %SST(&TIME 3 2) *TCAT ':' *TCAT + %SST(&TIME 5 2)) /* SEE IF USER HAS *SECADM SPECIAL AUTHORITY */ CHGVAR VAR(%BIN(&NUMENTRIES)) VALUE(1) CHGVAR VAR(%BIN(&LEVEL)) VALUE(0) CALL PGM(QSYCUSRS) PARM(&SECADM &USER &SPCAUT + &NUMENTRIES &LEVEL &ERRORCODE) /* EXCLUDE SOME FILES */ IF COND( (&UFILE *EQ 'SACLLG00') + *OR (&UFILE *EQ 'SACLLG01') + *OR (&UFILE *EQ 'SABRPL00') + *OR (&UFILE *EQ 'BILL_LOG') + *OR (&UFILE *EQ 'SAFRLG00') + *OR (&UFILE *EQ 'SAFRLG01') ) + THEN(GOTO CMDLBL(NOTALLOWED)) /* IF *LIBL ENTERED FOR LIBRARY THEN RETRIEVE THE LIBRARY NAME FOR THE FILE */ IF COND(&ULIB *EQ '*LIBL') THEN(DO) RTVOBJD OBJ(&UFILE) OBJTYPE(*FILE) RTNLIB(&ULIB) MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(END)) ENDDO /* if SECFILES library and no *SECADM then donot allow */ IF COND((&ULIB *EQ 'SECFILES') *AND (&SECADM + *EQ 'N')) THEN(GOTO CMDLBL(NOTALLOWED)) /* CHECK DFUUAF FILE FOR AUTHORITY */ LOOP: RCVF MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(NOTALLOWED)) /* is user authorised to UPDDTA */ IF COND(&CURRENTUSR *NE &USER) THEN(GOTO CMDLBL(LOOP)) /* if authorised what can he update */ IF COND(&LIB *EQ '*ALL') THEN(GOTO CMDLBL(AUTHORISED)) /* if library specified then check file */ IF COND(&ULIB *EQ &LIB) THEN(DO) IF COND(&FILE *EQ '*ALL') THEN(GOTO + CMDLBL(AUTHORISED)) /* if file specified then check member */ IF COND(&UFILE *EQ &FILE) THEN(DO) IF COND(&MBR *EQ '*ALL') THEN(GOTO + CMDLBL(AUTHORISED)) IF COND(&UMEMBER *EQ '*FIRST') THEN(RTVMBRD + FILE(&ULIB/&UFILE) RTNMBR(&UMEMBER)) IF COND(&UMEMBER *EQ &MBR) THEN(GOTO + CMDLBL(AUTHORISED)) ENDDO ENDDO GOTO CMDLBL(LOOP) GOTO CMDLBL(NOTALLOWED) AUTHORISED: CHGVAR VAR(&ALLOWD) VALUE('Y') CHGVAR VAR(&MSG) VALUE('User' *BCAT &CURRENTUSR + *BCAT 'granted UPDDTA to' *BCAT &UFILE + *BCAT 'in' *BCAT &ULIB *BCAT + 'member' *BCAT &UMEMBER) CALL PGM(TECHLIB/DFULAA) PARM(&DATE &TIME + &CURRENTUSR &CMD &ALLOWD &ULIB &UFILE + &UMEMBER) /* THE REAL (RENAMED) UPDDTA COMAND IS ON THE NEXT LINE */ DSPUDP FILE(&ULIB/&UFILE) MBR(&UMEMBER) CALL PGM(DFUWSL) GOTO CMDLBL(END) NOTALLOWED: CHGVAR VAR(&MSG) VALUE('User' *BCAT &CURRENTUSR + *BCAT 'DENIED access to UPDDTA cmd trying + to update file' *BCAT &UFILE *BCAT 'in' + *BCAT &ULIB *BCAT 'member' *BCAT &UMEMBER) CALL PGM(TECHLIB/DFULAA) PARM(&DATE &TIME + &CURRENTUSR &CMD &ALLOWD &ULIB &UFILE &UMEMBER) RMVMSG CLEAR(*ALL) END: CHGJOB OUTQ(&OUTPUTQ) LOG(&LOGLVL) LOGCLPGM(&LOGCL) endpgm
This program takes the spoolfile from the DFU session and writes to a centralised log file for audit purposes.
9. Create program DFUWLE in library TECHLIB (DFU Write Log Entry).Code:PGM DCL &USER *CHAR 10 DCL &JOB *CHAR 10 DCL &DATE *CHAR 6 DCL &REMIND *DEC (3 0) DCL &MSG *CHAR 132 DCL &MSG1 *CHAR 36 DCL &MSG2 *CHAR 23 DCL &MSG3 *CHAR 23 DCL &MSG4 *CHAR 23 DCL &TXT *CHAR 10 VALUE('DFU') DCL &FILE *CHAR 11 DCL &MBR *CHAR 11 DCL &LIB *CHAR 11 DCL &TIME *CHAR 6 DCL VAR(&TMPLOG) TYPE(*CHAR) LEN(132) DCLF FILE(QTEMP/TMPLOG) RTVJOBA JOB(&JOB) USER(&USER) DATE(&DATE) OVRDBF FILE(DFUTLF) TOFILE(AUDITLIB/DFUTLF) START: CHKOBJ OBJ(QTEMP/TMPLOG) OBJTYPE(*FILE) MONMSG MSGID(CPF9801) EXEC(DO) CRTPF FILE(QTEMP/TMPLOG) RCDLEN(132) ENDDO CPYSPL1: CPYSPLF FILE(QPDZDTALOG) TOFILE(QTEMP/TMPLOG) + JOB(*) SPLNBR(*LAST) MONMSG MSGID(CPF3303) EXEC(GOTO CMDLBL(END)) RTVSYSVAL SYSVAL(QTIME) RTNVAR(&TIME) CHGVAR VAR(&MSG) VALUE(&TIME *BCAT '**START UPDDTA **') CALL PGM(TECHLIB/DFUWLE) PARM(&USER &DATE &MSG) READF: RCVF MONMSG MSGID(CPF0000) EXEC(GOTO (EOF)) IF COND(%SST(&TMPLOG 58 5) *EQ 'AUDIT') + THEN(GOTO CMDLBL(AUDIT_T_XX)) IF COND(%SST(&TMPLOG 28 9) *EQ '* * * * *') + THEN(GOTO CMDLBL(AUDIT_T_XX)) IF COND(%SST(&TMPLOG 3 9) *EQ 'Job Title') + THEN(GOTO CMDLBL(AUDIT_T_XX)) IF COND(%SST(&TMPLOG 52 13) *EQ 'Saudi Telecom') + THEN(GOTO CMDLBL(AUDIT_T_XX)) IF COND(%SST(&TMPLOG 25 13) *EQ 'Records Added') + THEN(GOTO CMDLBL(TAG1)) IF COND(%SST(&TMPLOG 25 15) *EQ 'Records Changed') + THEN(GOTO CMDLBL(TAG2)) IF COND(%SST(&TMPLOG 25 15) *EQ 'Records Deleted') + THEN(DO) CHGVAR VAR(&MSG4) VALUE(%SST(&TMPLOG 18 23)) CHGVAR VAR(&MSG) VALUE(&MSG2 *BCAT &MSG3 *BCAT &MSG4) CALL PGM(TECHLIB/DFUWLE) PARM(&USER &DATE &MSG) GOTO READF ENDDO CHGVAR VAR(&MSG) VALUE(%SST(&TMPLOG 1 132)) CALL PGM(TECHLIB/DFUWLE) PARM(&USER &DATE &MSG) AUDIT_T_XX: GOTO READF TAG1: CHGVAR VAR(&MSG2) VALUE(%SST(&TMPLOG 18 23)) GOTO READF TAG2: CHGVAR VAR(&MSG3) VALUE(%SST(&TMPLOG 18 23)) GOTO READF EOF: CHGVAR VAR(&MSG) VALUE(&TIME *BCAT '** END UPDDTA **') CALL PGM(TECHLIB/DFUWLE) PARM(&USER &DATE &MSG) DLTOVR FILE(*ALL) END: ENDPGM
This program writes one record to the log file, it gets called multiple times.
10. Create program DFULAA in library TECHLIB (DFU Log Acess Attempt).Code:* * Wrile SQL log * Written by Gamini Welikala January 2004 - STC * FDFUTLF O A E disk * * Declares DIP3 s 3A * * Main Routine * C *ENTRY PLIST C PARM USER 10 C PARM DATE1 6 C PARM MSG 128 * C movel user userid C movel date1 date C movel msg dfutxt C write DFUTLFR * the end of the program * C eval *inlr = '1' C return *
This program writes a record to the access log file showing if a user was granted or denied permission to use DFU.
Code:FDFULAA O E DISK C *ENTRY PLIST C PARM DATEI 6 C PARM TIMEI 8 C PARM USERI 10 C PARM CMDI 10 C PARM ALLOWI 1 C PARM LIBI 10 C PARM FILEI 10 C PARM MBRI 10 C MOVELDATEI DATE C MOVELTIMEI TIME C MOVELUSERI USER C MOVELCMDI CMD C MOVELALLOWI ALLOWD C MOVELLIBI LIB C MOVELFILEI FILE C MOVELMBRI MBR C WRITEDFULAAR C SETON LR C RETRN
Greg Craill: "Life's hard - Get a helmet !!"Comment
Comment