Four Hundred Guru--Stopping User from Using the System Request Menu

Newsletters	Subscriptions	Forums	Safari	Store	Career	Media Kit	About Us	Contact	Search	Home

Volume 8, Volume 11 -- March 19, 2008

Stopping User from Using the System Request Menu

Published: March 19, 2008

Hey, Joe:

We have some users who misuse the System Request menu by locking critical records and then transferring to an alternate job. They also sometimes use System Request-2 to cancel their previous requests when they should let those requests run straight through to completion. We'd like to restrict access to the System Request menu just for those users. How can I lock them out?

--Bert

There have always been some security and processing issues with allowing everyone to access the System i and AS/400 System Request menu. System Request menu access can be abused and some people need to be kept out. The good news is that it is relatively easy and painless to lock out one, two, or even all *PUBLIC users from accessing the menu.

The key to locking out System Request menu users lies in knowing that the menu uses a Panel Group (*PNLGRP) object called QGMNSYSR that resides in library QGPL. QGMNSYSR is critical to accessing the System Request menu and if a user doesn't have authority to that object, he won't be able to access the menu. By default, the *PUBLIC user has *USE authority to QGMNSYSR, which means that everyone can usually get to the menu. (The *PUBLIC user is a catch-all designation that tells the system what access users can get if they are not explicitly authorized to the object.)

If you want to limit QGMNSYSR access for just one user, you can do it by changing QGMNSYSR's authority list to exclude that user from accessing the object. To remove a user's authority to QGMNSYSR, run the following Grant Object Authority command (GRTOBJAUT).

GRTOBJAUT OBJ(QSYS/QGMNSYSR)
          OBJTYPE(*PNLGRP) 
		USER(User_Name) AUT(*EXCLUDE)

This adds an exclusion entry for the user to QGMNSYSR's authority list. You could also use the Edit Object Authority (EDTOBJAUT) command to add exclusion entries. To do this, run EDTOBJAUT like this:

EDTOBJAUT OBJ(QSYS/QGMNSYSR) OBJTYPE(*PNLGRP)

From the Edit Object Authority screen that appears, press the F6 key, Add New Users, to add an *EXCLUDE authority entry for the user.

Both techniques perform the same function. After running these commands, the object's authority list would look like this.

User        Group       Authority   
*PUBLIC                 *USE        
User_name               *EXCLUDE        
QSYS                    *ALL

And whenever your locked out user tries to access the System Request menu, he will get the following error message:

CPD2317 - No authority to use system request functions.

The nice thing about this technique is that you can easily add *EXCLUDE entries for individual users, users belonging to certain group profiles, or for all users who are specifically listed in an authorization list object (object type *AUTL). It's also a simple matter to exclude all *PUBLIC users from the System Request menu by running the following GRTOBJAUT command.

GRTOBJAUT OBJ(QSYS/QGMNSYSR) OBJTYPE(*PNLGRP) USER(*PUBLIC) AUT(*EXCLUDE)

Adding this entry stops all *PUBLIC users from accessing the System Request menu. By restricting *PUBLIC users, you can completely lock down the menu to unauthorized usage. The nice thing is that if you do restrict *PUBLIC access to the menu, you can always let specific users back in by explicitly giving them access to QGMNSYSR. This can be done by running the following GRTOBJAUT command.

GRTOBJAUT OBJ(QSYS/QGMNSYSR) OBJTYPE(*PNLGRP) USER(User_name) AUT(*USE)

So it's a relatively easy process to restrict and grant access to the System Request menu. It's just a matter of knowing which command to use.

Additional Information From a Previous Article

Regarding my article on Configuring Messaging Software for Overnight Monitoring, Kurt Thomas of CCSS wrote in to remind me that Bytware and Help/Systems aren't the only ones offering monitoring and paging software for the System i:

I work for CCSS, and our QSystems Management line of products allows you to use the methodology you described. QRemote Control allows you to send out SMS messages directly [to the user], using a small GSM device. It also allows you to not only receive messages from the system, but to actively request information about the system; and to use escalations for structured notifications.

Kurt's point is well taken and when searching for System i software products, you should always check out the full range of vendors who offer those products.

--Joe

Configuring Messaging Software for Overnight Monitoring

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
WORKSRIGHT SOFTWARE

Do you need area code information?
Do you need ZIP Code information?
Do you need ZIP+4 information?
Do you need city name information?
Do you need county information?
Do you need a nearest dealer locator system?

We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

Just call us and we'll arrange for 30 days FREE use of either
ZIP/CITY or PER/ZIP4.

WorksRight Software, Inc.
Phone: 601-856-8337
Fax: 601-856-9432
E-mail: software@worksright.com
Web site: www.worksright.com

Senior Technical Editor: Ted Holt

Technical Editors: Howard Arner, Joe Hertvik, Shannon O'Donnell, Kevin Vandever

Contributing Technical Editors: Joel Cochran, Wayne O. Evans, Raymond Everhart,
Bruce Guetzkow, Brian Kelly, Marc Logemann, David Morris

Publisher and Advertising Director: Jenny Thomas

Advertising Sales Representative: Kim Reed

Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON: Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
LANSA: It's Time for 4 days of education at the LANSA User Conference, May 4 – 7, in Orlando
MoshiMoshi: An Interactive Experience for the System i Community. Coming March 30.

IT Jungle Store Top Book Picks

Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95


Bye Bye System p and i, Hello Power Systems The HP Pitch on Rehosting i5/OS Applications on Integrity NetManage and Rocket Software Call Off Acquisition Deal As I See It: Bringing the Funny HPC Sales Account for Most of 2007's Server Sales Growth


Intel Talks Up X64, Itanium Roadmaps Ahead of IDF Red Hat Releases Enterprise Linux 5.2 Beta HP Goes Big Iron with Eight-Socket Opteron Box As I See It: Bringing the Funny Bye Bye System p and i, Hello Power Systems


iQ4bis Aims to Simplify BI for JD Edwards Shops LogLogic Launches Appliances for the Mid Market EXTOL Adds Dashboard Views to EDI Software CMDB: A Journey, Not a Destination Help/Systems Updates Robot/REPLAY


Making the Case for System z10 Server Consolidation Top Mainframe Stories From Around the Web Chats, Webinars, Seminars, Shows, and Other Happenings


March 15, 2008: Volume 10, Number 11 March 8, 2008: Volume 10, Number 10 March 1, 2008: Volume 10, Number 9 February 23, 2008: Volume 10, Number 8 February 16, 2008: Volume 10, Number 7 February 9, 2008: Volume 10, Number 6


Microsoft Patches 12 Critical Flaws in Office AMD Says Barcelona Bug Is Fixed, Almost Ready to Ramp IBM Hurls $1 Billion at Unified Communications Target Mad Dog 21/21: Plane's Peeking OpenXML-ODF Interoperability Goal of Microsoft Initiative


Sun Readies Dual-Socket Sparc T2+ Servers IBM Readies Big Power6 Boxes, New X64 Servers HPC Sales Account for Most of 2007's Server Sales Growth Server Virtualization and Consolidation Require More Resiliency Arrow Buys French Midrange Distributor


Four Hundred Monitor's Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:
Help/Systems Guild Companies WorksRight Software

	Printer Friendly Version

TABLE OF CONTENTS
Grouping a Union Remember the Allocation Stopping User from Using the System Request Menu

Four Hundred Guru

BACK ISSUES

From the IT Jungle Forums
Data Type *DEC in MSGF How to identify when the OS upgrade was performed ??? FTP in arrival sequence S36 environment problem QSH won't write in batch!