Resolution
How do I stop users from accessing a specific IFS directory from their Windows Explorer using RRM?
fact
VigilEnt Security Agent for iSeries 7.5
fact
Remote Request Management (RRM)
fix
When accessing a directory in an IFS share, the LISTATT and ALLOCON operations from the FILE server are used. This traffic comes through the QIBM_QPWFS_FILE_SERV exit point.
Note: The QIBM_QPWFS_FILE_SERV exit must have our exit program installed and be in Secure mode for user access to be rejected.
To make sure that certain users cannot access certain directories on the IFS share, you must first create Secured Entries which allow users access to the FILE_ALLOCON and FILE_LISTATT operations.
- From PSMENU, take Options 2 PSSecure, 3 Remote Request Management, and 1 Work with Secured Entries.
- Then, press F6 to add an Secured Entry.
You can also setup access to these operations by using more generic rules. This is dependent upon your specific configuration of RRM.Please note the following example Secured Entries:
NW0056T1 Create Secured Entry 16:04:22 2/14/2005
Testsys Add
User . . . . . . . . . . . . . . TEST + Name, :Group, *PUBLIC
Network . . . . . . . . . . . . *ALL +
Operation . . . . . . . . . . . FILE_ALLOCON +
Object Path . . . . . . . . . . *NONE
Action . . . . . . . . . . . . . *PASS + *PASS, *FAIL, *OBJLIST, cal
Swap Profile . . . . . . . . . . Name
Enabled Status . . . . . . . . . Y + Y, N
Delete Collected Entry? . . . . Y + Y, NNW0056T1 Create Secured Entry 16:04:22 2/14/2005
Testsys Add
User . . . . . . . . . . . . . . TEST  .
; + Name, :Group, *PUBLIC
Network . . . . . . . . . . . . *ALL +
Operation . . . . . . . . . . . FILE_LISTATT +
Object Path . . . . . . . . . . *NONE
Action . . . . . . . . . . . . . *PASS + *PASS, *FAIL, *OBJLIST, cal
Swap Profile . . . . . . . . . . Name
Enabled Status . . . . . . . . . Y + Y, N
Delete Collected Entry? . . . . Y + Y, N
To use the generic rules:
- Ensure that users have access to the ALLOCON and LISTATT operations.
- Create a new Secured Entry with the LISTATT operation and the specific IFS directory.
- Set this Secured Entry up to fail as shown in the following example.
.
NW0015B Work With Secured Entries 13:14:19 2/21/2005
Testsys Add
User . . . . . . . . . . . . . . TEST + Name, :Group, *PUBLIC
Network . . . . . . . . . . . . *ALL +
Operation . . . . . . . . . . . FILE_LISTATT +
Object Path . . . . . . . . . . /TESTDIRECTORY
Action . . . . . . . . . . . . . *FAIL + *PASS, *FAIL, *OBJLIST, cal
Swap Profile . . . . . . . . . . NameR>Enabled Status . . . . . . . . . Y + Y, N