|
Admin Alert: Limiting System i User Sign-ons the Smart Way
Published: October 31, 2007
by Joe Hertvik
In certain scenarios, you may want to limit certain users from starting more than one i5/OS session at a time. While the System i provides a method for limiting all users from starting multiple sessions, it's not widely understood how to limit individual users from starting multiple sessions. This week, I'll examine how to limit individual i5/OS user sign-ons and I'll show you how to use it to your advantage.
The Art of Limiting Multiple Sign-ons
The Limit device sessions system value (QLMTDEVSSN) will generally control whether your users can start more than one user session at a time. When QLMTDEVSSN is set to '1' (on), general user access is limited to one and only one device session for each user (except for System Request '1' sign-ons) and that's it.
Turning on QLMTDEVSSN can be helpful in highly secured environments or when system resources are low. It can also prevent people from "lending out" their user profile to other users so that two or more people cannot sign on to the same System i box with the same user ID. For more information on QLMTDEVSSN and how it works, see my earlier articles on Creating an i5/OS User Profile Architecture and Making OS/400 User Profiles a Little More Secure.
While restricting every user profile in your organization to one session sign-on has some value in highly restricted environments, QLMTDEVSSN tends to lose its charm in the practical world. Practically speaking, people do need to start more than one session at a time on their PCs, and key users may occasionally need to sign on to two different machines at once. So for all its noble purpose, I suspect that QLMTDEVSSN activation has never been a popular technique in most i5/OS shops.
Where Limited Session Access Makes Sense
In spite of the flaws in using QLMTDEVSSN on the system level, it's important to note that you shouldn't hesitate to limit System i user device sessions where it makes sense. While the QLMTDEVSSN system value can be a lousy choice for deployment to the masses, the limit device sessions feature does have a place in securing users who legitimately should be forced to sign-on to one and only one session at a time. Here are a few examples where it might come in handy to deploy a solution that stops individual users from signing on to more than one terminal session or device at a time.
- For retail employees using Point of Sale (POS) devices, to avoid difficult situations by tying a specific clerk to one POS device at a time
- For warehouse inventory workers who need to be signed on to only one scanner at a time, in order to audit their activity
- For any manager who skirts system security by signing on to multiple terminals in his department at one time instead of obtaining separate profiles for their staff. (I've found this to be a popular technique for signing on temporary workers in warehouse environments.)
While these users don't represent the majority of system users, they present an opportunity to use i5/OS' localized version of QLMTDEVSSN, where you turn on the "limit device sessions" function for one user at a time without affecting the entire company. You can do this by correctly setting the "limit device sessions" parameter (LMTDEVSSN) for any user profile that needs to be limited to signing on to a single device session. Here's how it's done.
Stopping Individuals From Starting Multiple Sessions
To limit a single user to one device session at a time, you simply edit the user profile that you want to control. Do this by running the "Change User Profile" command (CHGUSRPRF) from a 5250 green-screen session.
CHGUSRPRF USRPRF(user_profile)
Type in this command and press the F4 key (prompt) followed by the F10 key (additional parameters) so that you can see and modify all user profile parameters for this user. At the bottom of the second CHGUSRPRF screen, you will see the "limit device sessions" parameter (LMTDEVSSN). By default, i5/OS sets the LMTDEVSSN parameter for each newly created user profile to a default value of *SYSVAL. *SYSVAL means that whenever the user signs on to the system, i5/OS checks the setting in the "limit device sessions" system value (QLMTDEVSSN), and the system allows or disallows the user to start multiple i5/OS sessions based on what it finds in that setting. If QLMTDEVSSN is turned on ('1'), the user will not be able to start multiple sessions. If QLMTDEVSSN is turned off ('0'), the user can start as many sessions as they want on their own device or on any other device in the company. So by default, all new users take their private LMTDEVSSN user profile value from the global QLMTDEVSSN system value.
The key point to take away from how the system uses QLMTDEVSSN for determining whether users can run more than one session at a time is this.
The limit device sessions system value, QLMTDEVSSN, sets the recommended setting for determining whether users can run more than one session at a time for every user on your entire i5/OS partition; the LMTDEVSSN parameter in each individual user profile tells i5/OS whether or not to enforce that setting when that particular user signs on.
What this means is that as System i administrators, we can override the QLMTDEVSSN system value and decide for ourselves whether or not we want to limit each user profile to a single session at a time. You can remove the linkage between a user profile and the QLMTDEVSSN system value by setting the user profile's LMTDEVSSN parameter to one on the following values, instead of setting it to its default value of *SYSVAL.
*YES – The system will always restrict the user to signing on to a single device session, regardless of what value the QLMTDEVSSN system value is set to.
*NO – The system will not restrict the user as to how many device sessions he can sign on to. This user profile can sign on to as many device sessions as it requests.
Once LMTDEVSSN is set in one of these two values for a user, the system will no longer refer to the QLMTDEVSSN system value when that user signs on.
Putting LMTDEVSSN To Work for Groups of People
To put LMTDEVSSN into action for a larger group of individuals, you can set your QLMTDEVSSN and LMTDEVSSN values in one of the following two ways.
- If you want to take a subset of users and restrict them from signing on to the system more than once, you can set QLMTDEVSSN to '0' (off) and set the LMTDEVSSN parameter to *YES on each individual user profile that you want to restrict to single sessions. Make sure that the LMTDEVSSN parameter for all other user profiles is set to *SYSVAL, so they will always use the default QLMTDEVSSN parameter.
- If you're in a high security environment where you want to restrict all users from using multiple sessions but you have a subset of super-users who are authorized to sign on to more than one session at a time, you can set QLMTDEVSSN to '1' (on) and then set the LMTDEVSSN parameter to *NO on each individual user profile that you want to allow to use multiple sessions. Again, make sure that the LMTDEVSSN parameter on all other user profiles is set to *SYSVAL.
And, Lest We Forget OpsNav
For completeness, I should note that you can also use iSeries Navigator (OpsNav) to set the "limit device sessions" parameter for a user profile. To set this parameter in OpsNav, find and open the user profile that you want to change by expanding the Users and Groups→All users node and double-clicking on the user profile name that you want to change. Inside the Job Properties screen that appears, click on the Jobs button and select the Session Startup tab at the top of the screen. In the Session startup area, click on the Limit device sessions dropdown box and select either the Use system value, Limit to one session, or Do not limit sessions option. All of these choices produce the same effect as setting the LMTDEVSSN parameter for a user profile from the green-screen CHGUSRPRF command.
Easy To Use When You Need It
The "limit device sessions" feature isn't for every shop and the majority of System i, iSeries, and AS/400 organizations will do just fine by using the default values. However, if you run into a situation where one or more users need to run at a different LMTDEVSSN setting than the rest of your company, it's handy to know how to control these values at the user level as well as at the system level.
About Our Testing Environment
Configurations described in this article were tested on an i5 550 box running i5/OS V5R3. Most of these commands shown here are also available in earlier versions of the operating system running on iSeries or AS/400 machines. If a command or function is present in earlier versions of the i5/OS or OS/400 operating systems, you may notice some variations in the pre-V5R3 copies of these commands. These differences may be due to command improvements that have occurred from release to release.
RELATED STORIES
Creating an i5/OS User Profile Architecture
Making OS/400 User Profiles a Little More Secure
 Post this story to del.icio.us
 Post this story to Digg
 Post this story to Slashdot
|
